solution Contentsolution Content

HP CM8060/CM8050 Color MFP with Edgeline Technology - Control access to the device

You can use the embedded Web server to control which device features require users to sign in before being able to access those features. You can also create permission sets that grant varying levels of access to individual users or groups of users.
  1. Open the embedded Web server. See Open the embedded Web server.
  2. Select the Settings tab.
  3. Select Device Sign In from the menu on the left side of the screen.

Access-control level for device features

On the Device Access tab, specify the level of control you want.
Access-control levels
Level
Description
Maximum Access Control
All users must sign in before using any features on the device control panel. Users have access only to the features that are allowed by their permission sets.
If you select this option, you must configure and assign permission sets. See Permission setssecuritypermission setspermissions setsedit.
Minimum Access Control
No users must sign in before using any features on the device control panel.
If you select this option, you do not need to configure and assign permission sets.
Custom Access Control
Users must sign in only for the device features that you specify.
  1. Select Custom Access Control, and then click Define Custom.
  2. Select the features that you want to restrict.
  3. Select the default method for signing in for each feature. This step is optional.
    note:
    Use the default settings and change them only if you need to.
  4. Click OK to save the settings.
If you select this option, you must configure and assign permission sets. See Permission setssecuritypermission setspermissions setsedit.

Permission sets

If you selected either Maximum Access Control or Custom Access Control for the access-control level, you must configure permission sets. You can also create new permission sets to meet access-control needs. You can assign permission sets to user accounts that are stored on the device or to network users and groups.
The device has the following preconfigured permission sets:
  • Device User: This permission set is editable, and it can be assigned to individual users and groups. The default settings for this permission set are the same as the Device Administrator permission set, but you can change them as needed.
  • Device Administrator: This permission set is for system administrators. It is not editable, but you can assign it to users and groups in addition to yourself.
    note:
    This permission set provides access to features at the device control panel that are reserved for administrators, but it does not provide access to the administrator functions in the embedded Web server or the Service function on the device control panel.
The following table summarizes the device functions that are available for access-control by configuring permission sets.
Permission-set options
Main feature
Sub-options
Description
Administrator application
Device Behavior menu
Information menu
Initial Setup menu
Management menu
Default Job Options menu
Resets menu
Time/Scheduling menu
Troubleshooting menu
Permits access to the Administration menu on the device control panel.
Clear the check boxes next to any of the sub-menus that you do not want members of this permission set to use.
Copy application
Make a Color Copy
Make a Copy with Professional Color Quality
Permits access to the Copy feature on the device control panel.
Clear the check box next to Make a Color Copy to restrict all color copying.
If you select the check box next to Make a Color Copy but clear the check box next to Make a Copy with Professional Color Quality, members of this permission set can make only General Office color-quality copies.
Fax application
Ability to edit a Speed Dial
Permits access to the Fax feature on the device control panel.
note:
This section appears only if an analog fax accessory is installed in the device.
Clear the check box next to Ability to edit a Speed Dial to restrict members of this permission set from changing any speed-dial information.
Job Status
Details or Cancel any users job
Ability to Promote any users job
Permits access to the Job Status feature on the device control panel.
If you clear the check box next to Details or Cancel any users job, members of this permission set cannot see the details for any jobs that are in the queue, and they cannot cancel any jobs other than their own.
If you clear the check box next to Ability to Promote any users job, members of this permission set cannot promote any jobs in the queue.
Job Storage application
Permits access to the Job Storage feature on the device control panel.
If you clear this check box, members of this permission set cannot store or retrieve jobs at the device control panel.
E-mail application
Permits access to the E-mail digital send feature on the device control panel.
Network Folder application
Permits access to the Network Folder feature on the device control panel.
If you clear this check box, members of this permission set cannot use the feature.
Service Assist application
Permits access to basic Service functions that are available only when working with an HP-authorized service representative.
Supply Status application
Permits access to the Supplies Status feature on the device control panel.
If you clear this check box, members of this permission set cannot view supplies status and they cannot configure the paper size or type settings for the trays.
Printing
Print with Professional Color Quality
Print with General Office Color Quality
Select Printing to allow members of this permission set to send print jobs from a computer.
If you select Printing but clear the check box next to Print with Professional Color Quality, members of this permission set can print only with General Office quality color.
If you select Printing but clear both the check boxes next to Print with Professional Color Quality and Print with General Office Color Quality, members of this permission set can print only in black & white.
Edit an existing permission set
  1. In the area for Permission Sets, select the name of the permission set that you want to edit, and click Edit.
    note:
    You cannot edit the Device Administrator permission set.
  2. If you selected Custom Access Control on the Device Access tab, you can allow access to a controlled device function by selecting the check box in each heading area.
    note:
    For the Copy and Print applications, you must select the check box in the main heading area in order to select any of the sub-items beneath it.
    For example, select Copy application to allow members of this permission set to make copies at the device.
  3. If you want to restrict some options within a feature, clear the appropriate check boxes under the main heading.
    For example, if you want to allow members of this permission set to make black & white copies but not color copies, clear the check box next to Make a Color Copy.
    note:
    To restrict color features, you must first open the Restrict Color/Limits page from the menu on the left side of the screen. Select Custom Access Control for the Color Access Control Level.
  4. Click OK.
Create a new permission set
  1. In the area for Permission Sets, click New to create a new permission set.
  2. Type a unique name for the permission set, and then specify the features that members of this permission set are allowed to use.
  3. If you selected Custom Access Control on the Device Access tab, you can allow access to a controlled device function by selecting the check box in each heading area.
    For example, select Copy Application to allow members of this permission set to make copies at the device.
    note:
    For the Copy and Print applications, you must select the check box in the main heading area in order to select any of the sub-items beneath it.
  4. If you want to restrict some options within a feature, clear the appropriate check boxes under the main heading.
    For example, if you want to allow members of this permission set to make black & white copies but not color copies, clear the check boxes next to Make a Color Copy and Make a Copy with Professional Color Quality.
    note:
    To restrict color features, you must first open the Restrict Color/Limits page from the menu on the left side of the screen. Select Custom for the Color Access Control Level.
  5. Click OK.
note:
If you plan to restrict color use for some users, set up different permission sets for color users and for non-color users.
note:
A permission sets checkbox is not available (grayed out) if the function was not set to require signing in on the Define Custom page for setting up access control, or if the function is a color setting and the option for controlling color on the Restrict Color page has not been set to Custom.
note:
To assign permission sets to users or groups of users, use the Users/Groups tab. See Create user and group accounts.

Create user and group accounts

You can use the embedded Web server to access users or groups already defined on the network. You can also set up device user accounts, which are assigned an access code and are stored on the device hard disk.
The simplest way to set up access for all users in your organization is to configure the Device User permission set to meet the needs of the majority of the users. Then, assign all users to the Device User permission set. For those individuals who need access that is different than the Device User permission set, create custom permission sets.

Assign users and groups to permission sets

  1. Open the embedded Web server. See Open the embedded Web server.
  2. Select the Settings tab.
  3. Select Device Sign In from the menu on the left side of the screen.
  4. Click the Users/Groups tab.
  5. Configure the permission sets according to the type of Sign In method you are using. See Sign-in methodssign-in methodssecuritysign-in methods.
    • Windows Users and Groups
    • LDAP Users and Groups
    • Device User Accounts (Local Device sign-in method. Network sign-in is not required.)

Add new Windows or LDAP users or groups and assign permission sets

The procedure is the same for Windows or LDAP users and groups.
  1. In either the Windows Users and Groups area or the LDAP Users and Groups area, click New.
  2. Next to User or Group, select either User or Group.
  3. Next to Network User or Group Name, type the name for the user or group.
    note:
    The mapping name must match the user or group name that is already defined on the network. Use the full domain\user or domain\group path.
  4. Next to Permission Set, select the permission set to assign to this user or group.
  5. Click OK to add the new user or group.

Edit permission-set assignments for existing Windows or LDAP users or groups

The procedure is the same for Windows or LDAP users and groups.
  1. In either the Windows Users and Groups area or the LDAP Users and Groups area, select a user or group, and click Edit. The Edit Mapping page opens.
  2. Next to User or Group, select either User or Group.
  3. Next to Network User or Group Name, type the name for the user or group.
    note:
    The mapping name must match the user or group name that is already defined on the network. Use the full domain\user or domain\group path.
  4. Next to Permission Set, select the permission set to assign to this user or group depending on the type of mapping being created.
  5. Click OK to save the changes.

Remove permission-set assignments for existing Windows or LDAP users or groups

The procedure is the same for Windows or LDAP users and groups.
  1. In either the Windows Users and Groups area or the LDAP Users and Groups area, select a user or group, and click Delete.
  2. A message appears that warns you that you are about to delete the user or group. Click OK to delete the user or group, or click Cancel to return to the previous screen without deleting the user or group.

Add new device user accounts and assign permission sets

  1. On the Users/Groups tab, in the Device User Accounts area, click New.
  2. An auto-generated access code appears. If you change the access code, it must be unique and be five digits.
  3. Type the user's full name and e-mail address. The name must be unique.
  4. Type the user's network name. This name is used for access to device features that require a network account. The name must match the full account name, including the domain. For example: DOMAIN/username.
  5. Select which permission set to assign to the user. See Permission setssecuritypermission setspermissions setsedit.
  6. To add another user account, click Save and Add Another Account, or click OK if you are finished adding users.

Edit existing device user accounts

  1. On the Users/Groups tab, in the Device User Accounts area, select a user account, and click Edit.
  2. You can change the access code, the user's name, e-mail address, the network name, and the permission-set assignment for the user.
  3. Click OK to save the changes.

Delete existing device user accounts

  1. On the Users/Groups tab, in the Device User Accounts area, select a user account, and click Delete.
  2. A message appears that warns you that you are about to delete the user. Click OK to delete the user or group, or click Cancel to return to the previous screen without deleting the user.

View a list of all device-user accounts

  1. On the Users/Groups tab, in the Device User Accounts area, click List.
  2. A new page opens that summarizes all the information for the existing device-user accounts.
    note:
    An easy way to provide each user with the necessary information for signing in, copy the information from this page and paste it into an e-mail to each user.
  3. Click Back to return to the previous page.

Sign-in methods

On the Sign In Methods tab, you can select the authentication method that the device uses when users sign in to the device at the control panel. Select one of the following for the Default Sign In Method:
  • LDAP
  • Local Device
  • Windows
If you have installed any third-party sign-in solutions, they also appear in this list. See the documentation that came with the solution for information about setting up the sign-in method.
note:
Each of these sign-in methods can be enabled for the device, but only one can be the default sign-in method. If you enable more than one method, users can access a non-default method by touching Advanced after they touch the Sign In button on the control panel.
If you select Local Device, you need to set up individual user accounts. See Add new device user accounts and assign permission setsusersdevicedevice usersadd newpermission setsdevice users.
If you select either the Windows or LDAP sign-in method, you can use users or groups that are already defined for the network. The following sections describe how to set up these sign-in methods.

Windows sign-in setup

  1. To enable the Windows sign-in method, select the Enable Windows Negotiated Sign In check box.
  2. For each Windows domain that you want the device to recognize, below the box for Trusted Domains, click Add.
  3. Select the domain to add.
  4. By default, the device uses the Windows Active Directory account name to verify the user names. If you want to change this setting, type the name of a different attribute in the box next to Match the name entered with this attribute.
  5. The device uses the Windows mail attribute to retrieve the users' e-mail addresses. Change this setting only if you need to.
  6. Select which Windows domain to use as the default.
  7. To verify that the sign-in method is working correctly, click Test Windows Sign In.
  8. At the bottom of the page, click Apply to save the settings.

LDAP sign-in setup

  1. To enable the LDAP sign-in method, select the Enable LDAP Sign In check box.
  2. Next to LDAP Server Address, type the network address of the LDAP server. The address can be a fully-qualified DNS name, an IPv4 address in dotted-decimal notation, or an IPv6 address in colon-hexidecimal notation.
  3. Type the Bind Prefix and the Bind and Search Root in the appropriate boxes.
  4. You can change the default attributes that the device uses to verify the user if you need to. However, HP recommends that you use these default attributes.
  5. To verify that the sign-in method is working correctly, click Test LDAP Authentication.
  6. At the bottom of the page, click Apply to save the settings.