Securing a printer using MVP involves combining one or more components—Authentication, Authorization, and Groups—to define who is allowed to use the printer, and which functions those users are allowed to access.
Before configuring printer security, it can be helpful to create a plan that identifies who the users will be and what they will need to do. Items to consider might include the location of the printer and whether non-authorized persons have access to that area, sensitive documents that will be sent to or stored on the printer, and the information security policies of your organization.
Authentication is the method by which a system securely identifies a user (that is, who you are).
Authorization specifies which functions are available to a user who has been authenticated by the system. This set of authorized functions is also referred to as “permissions.”
MVP handles authentication and authorization using one or more of the following, also referred to as Building Blocks:
PIN
Password
Internal accounts
LDAP
LDAP+GSSAPI
Kerberos 5
NTLM
Some Building Blocks, such as Password or PIN, can be used alone to provide low-level security, by simply limiting access to a printer—or specific functions of a printer—to anyone who knows the correct code. This type of security might be appropriate in a situation in which a printer is located in the lobby or other public area of a business, so that only employees who know the password or PIN are able to use the printer. Because anyone who enters the correct password or PIN receives the same privileges and users can not be individually identified, passwords and PINs are considered less secure than other building blocks that require a user to be identified, or both identified and authorized.
Administrators can designate up to 32 groups to be used in association with either the Internal accounts or LDAP/LDAP+GSSAPI building blocks. For the purposes of MVP security, groups are used to identify sets of users needing access to similar functions. For example, in Company A, employees in the warehouse do not need to print in color, but those in sales and marketing use color every day. In this scenario, it makes sense to create a “Warehouse” group, and a “Sales and Marketing” group.
By default, all device menus, settings, and functions come with no security enabled. Access Controls (also referred to in some devices as “Function Access Controls”), are used to manage access to specific menus and functions or to disable them entirely. Access controls can be set using a password, PIN, or security template. The number of functions that can be controlled varies depending on the type of device, but in some multifunction printers, over 40 individual menus and functions can be protected.
| Note: For a list of individual Access Controls and what they do, see Menu of Access Controls. |
Some scenarios call for only basic security such as PIN-protected access to common device functions, while others require tighter security and role-based restrictions. Individually, building blocks, groups, and access controls may not meet the needs of a complex security environment. In order to accommodate users in different groups needing access to a common set of functions such as printing, copying, and faxing, administrators must be able to combine these components in ways that give all users the functions they need, while restricting other functions to only authorized users.
A Security Template is a profile constructed using a building block, or certain building blocks paired with one or more groups. How they are combined determines the type of security created:
Building block | Type of security |
Internal Accounts | Authentication only |
Internal Accounts with Groups | Authentication and authorization |
Kerberos 5 | Authentication only |
LDAP | Authentication only |
LDAP with Groups | Authentication and authorization |
LDAP + GSSAPI | Authentication only |
LDAP + GSSAPI with Groups | Authentication and authorization |
NTLM | Authentication only |
Password | Authorization only |
PIN | Authorization only |
Each device can support up to 140 security templates, allowing administrators to create very specific profiles—or roles—for each access control.