Map the Permissions to the Roles Specified in the OIDC Identity Provider¶
In the configuration of the seal-rest
service, you map the permissions for printers and jobs to the roles specified in the OIDC identity provider. The specific permissions depend on the OIDC client. The following OIDC clients are available in connection with PLOSSYS 5:
-
seal-plossysadmin
for PLOSSYS Administrator -
seal-plossyscli
for PLOSSYS CLI -
seal-easyprima
for easyPRIMA -
seal-mobile_print
for PLOSSYS DocPrint
In the OIDC identity provider, roles are configured to which the users will be assigned. For example, in the preconfigured Keycloak from SEAL Systems, admin
, readonly
and custom
are available as roles and used in the examples below.
The mapping of the permissions and the roles is specified as JSON object with the following key:
ALLOWED_OIDC_CLIENTS
: Mapping of permissions to roles specified in the OIDC identity provider
Available Keys and Values¶
{
"<oidc-client>": {
"roles": {
"<role-specified-in-oidc>": {
"areas": {
"jobs": {
"set-<name>": {
"views": [<job-view>],
"permissions": [<job-permissions>]
}
}
"printers": {
"set-a": {
"views": [<printer-view>],
"permissions": [<printer-permissions>]
}
}
}
}
}
}
}
<oidc-client>
¶
On the top level of the JSON object, you specify the OIDC client. For available value, refer to the list above.
<role-specified-in-oidc>
¶
Within roles
, you specify the names of the roles specified in the OIDC identity provider. For example, in the preconfigured Keycloak from SEAL Systems, admin
, readonly
and custom
are available as roles.
areas
¶
Within a role, jobs
and printers
are available as areas
. For the seal-plossysadmin
client, the dashboard
area is available.
set-<name>
¶
Within a jobs
or printers
area, a view of the items (printers or jobs) and the correspondent permissions are combined to a set. The name of the set has to start with set-
. The rest of the set name is arbitrary.
views
¶
Within views
, you specify the selection of items (jobs or printers) to which the permissions specified with permissions
apply. ["ALL"]
stands for all items, []
stands for none of them.
With combining the struct
, value
and operator
keys, you specify which items belong to the selection.
With struct
, you specify the property of the item which is checked against the value
using the operator
. As property, you can use all properties of the database object representing the printer or the job. A printer property is, for example, config.printer
, config.server
or current.printerName
. A job property is, for example, orig.userName
, current.userName
or status
.
Hint - database object examples
For examples of database objects for a job and a printer, refer to Example of a Job's Database Object and Example of a Printer's Database Object
The following values are available for operator
:
-
"eq"
for an exact matching betweenvalue
andstruct
.Example - exact matching for all jobs belonging to the user who has been logged on to PLOSSYS Administrator
"views": [ { "struct": "current.userName", "value": "%CURRENT_USER%", "operator": "eq" }
-
"wildcard"
for a wildcard matching betweenvalue
andstruct
. For this,value
may contain*
.Example - wildcard matching for all printers whose names start with
roe
"views": [ { "struct": "config.printer", "value": "roe*", "operator": "wildcard" }
permissions
¶
Within permissions
, you specify the permissions which apply to the selection of items specified with views
. Multiple permissions are separated by comma, ["<permission-1>","<permission-2>",...,"<permission-n>"]
. ["ALL"]
stands for all permissions, []
stands for none of them.
The following specific permissions are available for printers (<printer-permissions>
):
"add"
for adding printers"createTestJob"
for creating test jobs to the printers"delete"
for deleting printers"deleteMessage"
for deleting notes at the printers"message"
for writing notes at the printers"pause"
for pausing printers"redirect"
for redirecting printers"resume"
for resuming paused printers"update"
for updating the printer configuration. Theupdate
permission is needed for easyPRIMA for changing the printer configuration but is irrelevant for PLOSSYS Administrator."checkPhysical"
for receiving the device status of an IPP printer"logs"
for viewing the logs of a printer
The following specific permissions are available for jobs (<job-permissions>
):
"cancel"
for canceling jobs"delete"
for deleting jobs"move"
for moving the jobs to other printers"pause"
for pausing the jobs"repeat"
for repeating jobs"resume"
for resuming paused jobs"tempfiles"
for including the temporary files when collecting the job data"collect"
for collecting job files"logs"
for viewing the logs of a job
Mapping Examples¶
Here, you find some commonly used examples for the permission mapping.
Example - admin
role with full access in PLOSSYS Administrator and all permissions for importing printers from easyPRIMA to PLOSSYS 5
{
"seal-plossysadmin": {
"roles": {
"admin": {
"areas": {
"dashboard": {},
"jobs": {
"set-a": {
"views": ["ALL"],
"permissions": ["ALL"]
}
},
"printers": {
"set-a": {
"views": ["ALL"],
"permissions": ["ALL"]
}
}
}
}
}
},
"seal-easyprima": {
"roles": {
"admin": {
"areas": {
"printers": {
"set-a": {
"views": ["ALL"],
"permissions": ["ALL"]
}
}
}
}
}
}
}
Example - readonly
role which may view all jobs but is not allowed to manage them
{
"seal-plossysadmin": {
"roles": {
"readonly": {
"areas": {
"jobs": {
"set-view-all": {
"permissions": [],
"views": ["ALL"]
}
}
}
}
}
}
}
Example - subbadruggarolle
role which may only view and manage printers whose names start with roe
{
"seal-plossysadmin": {
"roles": {
"subbadruggarolle": {
"areas": {
"dashboard": {},
"jobs": {},
"printers": {
"set-roe-printers": {
"views": [
{
"struct": "config.printer",
"value": "roe*",
"operator": "wildcard"
}
],
"permissions": [ "ALL" ]
}
}
}
}
}
}
}
Example - blosmeiglumbrolle
role which may only view and manage own jobs but does not see any printer
{
"seal-plossysadmin": {
"roles": {
"blosmeiglumbrolle": {
"areas": {
"dashboard": {},
"jobs": {
"set-own-jobs": {
"views": [
{
"struct": "current.userName",
"value": "%CURRENT_USER%",
"operator": "eq"
}
],
"permissions": [ "ALL" ]
}
},
"printers": {}
}
}
}
}
}
Example - ownjobsprinters
role which may view and manage particular printers and jobs on these printers
{
"seal-plossysadmin": {
"roles": {
"ownjobsprinters": {
"areas": {
"dashboard": {},
"jobs": {
"set-jobs-on-my-printers": {
"views": [
{
"struct": "current.printerName",
"value": "%ALLOWED_PRINTER_NAMES%",
"operator": "eq"
}
],
"permissions": [ "ALL" ]
}
},
"printers": {
"set-my-printers": {
"views": [
{
"struct": "config.location",
"value": "Timbuktu",
"operator": "eq"
}
],
"permissions": ["ALL"]
}
}
}
}
}
}
}
Hint - complex JSON object
Due to the value of ALLOWED_OIDC_CLIENTS
is a complex JSON object, it is reasonable to read it from a file via PLOSSYS CLI. Additionally, the value of ALLOWED_OIDC_CLIENTS
is then checked for JSON conformity. You can also generate a template for the JSON object via PLOSSYS CLI.