solution Contentsolution Content

HP OfficeJet Pro X series - Access Control

Introduction
Step one: Connect to the Embedded Web Server (EWS)
Step two: Open the Access Control page
Step three: Configure the sign-in methods
Step four: Configure the printer policies and permissions for specific print features
Step five: Save the configured Access Control settings

Introduction

Through the HP Embedded Web Server (EWS), the Access Control option provides controls to manage the print features users can access:
  • Enable and Configure Sign-In Methods
  • Sign-In and Permissions
  • Printer User Accounts
The following steps explain how to use the Access Control feature.

Step one: Connect to the Embedded Web Server (EWS)

  1. From the Home screen on the printer control panel, touch the Network button to display the IP address or host name.
  2. Open a Web browser, and in the address line, type the IP address or host name as it displays on the printer control panel. Touch the Enter key on the computer keyboard. The EWS opens.
    Figure : Example of an IP address in a browser window
    note:
    If the Web browser displays a There is a problem with this website’s security certificate message when attempting to open the EWS, click Continue to this website (not recommended).
    Choosing Continue to this website (not recommended) will not harm the computer while navigating within the EWS for the HP printer. If this error occurs outside of the HP printer’s EWS, the computer could be at risk.
    Figure : Example of the HP Embedded Web Server home screen
    note:
    To prevent unauthorized printer setting changes, administrators might want to add a password to limit access to the EWS. Click here to learn more.

Step two: Open the Access Control page

  1. Using the EWS top navigation menu, click Settings.
  2. In the left navigation pane, click Security.
  3. In the Security options list, click Access Control. The Access Control page opens.

Step three: Configure the sign-in methods

The printer has options for users to log in at the printer control panel or from the computer to access print features.
note:
By default, all print features are available without requiring a log in to access them. An Access Control sign-in method is necessary to assign permissions or restrict access.
The EWS has three available sign-in methods:
Sign-in method
Description
Default status
Local Device
User accounts are created on the EWS and assigned an User Access Code to use to log in at the printer control panel
note:
On the printer control panel, the User Access Code is referred to as PIN.
Enabled
LDAP
This sign-in method requires administrator configuration and uses a LDAP directory server to authenticate User Names and Passwords when logging in to the printer from the computer
Disabled
Windows
This sign-in method requires administrator configuration and authenticates the Windows Domain, User Names, and Passwords when logging in to the printer from the computer
Disabled

Local Device sign-in method

Create new Local Device user account

  1. To create a user account, scroll to the bottom of the page, and click the icon in the Printer User Accounts area. The Create a Printer User Account page opens.
  2. Enter the following information for the new user account:
    • Display Name: This is the name that displays in the Printer User Account table and in the Color Usage Job Log
    • Email Address: (optional) This is the email that displays on the EWS in the Printer User Account table
    • User Access Code: The User Access Code is between four- to eight-digits using numbers 0-9
      note:
      On the printer control panel, the User Access Code is referred to as PIN.
  3. Click Apply.
note:
Local Device supports up to 50 users.

Edit Local Device user account

  1. On the Access Control page, scroll down to the Printer User Accounts section.
  2. In the row with the user account that needs to be edited, click Edit.
  3. Change account information, and then click Apply.

Delete Local Device user account

  1. On the Access Control page, scroll down to the Printer User Accounts section.
  2. To delete a user account, click the check box next to user’s name in the Printer User Accounts table, and then click the icon.

LDAP

Use this option to enable or disable the LDAP sign-in method and configure the settings that the device uses to establish a connection with the LDAP server, authenticate users, and search the LDAP server database.
note:
By default, the LDAP sign-in method is disabled.

Enable and configure the LDAP sign-in method

Part one: Discover the LDAP server
  1. Click the Windows®Start button, enter cmd in the search field, and press Enter.
    Figure : Active Directory logon server search
  2. b. To determine which Active Directory logon server you are logged onto, in the command dialog, enter echo %logonserver%, and press Enter. This server can be used as the LDAP server.
    Figure : Logon server
Part two: Set up LDP
note:
This section is utilizing a freely available tool, LDP.exe. This tool is NOT required to configure LDAP; however it may be helpful.
  1. Open the LDP tool.
  2. Click Connection, and then select Connect. The Connect dialog box opens.
  3. In the Connect dialog box, enter the following information:
    1. Server: Enter the IP address or hostname of the LDAP server in the Server field.
    2. Port: Enter either 389 or 3268.
      note:
      Port 389 is the standard LDAP port. However, it may be necessary to use port 3268 when communicating with a Windows Global Catalog Active Directory Server.
    3. Connectionless: Leave the check box blank.
    4. SSL: Leave the check box blank.
  4. Click OK. You should now be connected to the LDAP server.
  5. From the LDP menu, click Connection, and then select Bind.
  6. In the Bind dialog box, enter the following information:
    1. User: Enter the username.
    2. Password: Enter the password.
    3. Domain: Enter the domain.
  7. Click OK.
  8. On the LDP screen, find and copy the Base DN. The Base DN. The Base DN is normally listed within the "defaultNamingContext."
    Figure : Base DN
  9. From the LDP tool, click Browse, and then select Search.
  10. In the Search dialog box, do the following:
    1. Base Dn: Paste the Base DN into the Base Dn field.
    2. Filter: Enter (&(objectclass=person)(displayname=customer last name, first name letter*)) into the Filter field.
      Example: (&(objectclass=person)(displayname=smith, j*))
      note:
      Make sure to put a space between "last name," and "first name letter" or the filter will not work.
      Figure : Search dialog box
    3. Scope: Select Subtree.
    4. Options: In the Search Options dialog box, remove all entries in the Attributes field, and then click OK.
    5. In the Search dialog box, click Run and then Close.
  11. On the LDP screen, locate the user DN from the returned results. The search prefix begins after the individual user CN. Copy the user DN for use in the HP Embedded Web Server (EWS).
    Figure : User DN
    note:
    The username format is defined within the device user DN. This can be viewed in the LDP trace. The format is often in email address format, but can be defined in many different combinations.
Part three: Configure LDAP
  1. Go back to the EWS, and click the Scan tab.
  2. In the left navigation pane, click Scan to Email, and then select Email Address Book.
  3. In the Email Address Book area, click Setup next to Configure the LDAP directory server.
  4. In the Network Directory Server (LDAP) area, enter the following information:
    1. LDAP Server Address: Enter the server that you found in Step 1.
    2. Port: The default port is 389, but 636 (simple over SSL/TLS) and 3269 (global server) also work.
  5. In the Server Authentication Requirements area, click the Server requires authentication radio button, select Simple Credentials the drop-down list, and enter the following information:
    1. User Name: Enter the email address from the LDP screen.
    2. Password: Enter the password for the domain account associated with the email address.
  6. In the LDAP Database Search Settingsarea, enter the following information:
    1. Path to start search (BaseDN, Search Root): Enter OU=CR,OU=Users,OU=Accounts,DC=americas,DC=cpqcorp,DC=net.
    2. Match the Recipient’s Name with this attribute: Leave cn as the default.
    3. Match the Recipient’s Email Address with this attribute: Leave mail as the default.
  7. In the Advanced LDAP Search Options area, enter (objectclass = person) in the LDAP Filter Condition field.
    note:
    Make sure to put a space before and after the equals sign for the Save and Test (next step) to work.
  8. To test the retrieval of address book entries using the LDAP setup above, enter at least three characters into the Save and Test field, and then click the Save and Test button.
  9. Click Apply to complete the LDAP configuration.

Disable the LDAP sign-in method

  1. In the Status column, click Edit for LDAP.
  2. Make sure the Enable LDAP Sign In check box is not checked, and then click Apply.

Windows®

Use this option to enable or disable the Windows sign-in method and configure the Windows trusted domain and attributes that the printer uses to authenticate users.
note:
By default, the Windows sign-in method is disabled.

Enable and configure the Windows sign-in method

  1. In the Status column, click Setup for Windows.
  2. Select the Enable Windows Sign In check box.
  3. In the Windows Sign-In Setup area, the following:
    • Default Windows Domain: Enter the domain name
    • Enable reverse DNS lookups: Click the check box to enable reverse DNS lookup
    • Always use secure connection (SSL/TLS): Click the check box to enable SSL/TLS
      note:
      When SSL/TLS is enabled, Server’s CA certificate needs to be imported into the printer.
    • Match the name entered with this attribute: Enter the Windows domain attribute for user login name
    • Retrieve the user's email address using this attribute: Enter the Windows domain attribute for user email addresses
    • Retrieve the printer user’s name using this attribute: Enter the Windows domain attribute for user names
  4. To test the Windows configuration, complete the following, and then click Save and Test.
    • Domain Name: This field auto-populates from the information entered Default Windows Domain field
    • User Name: Enter the user name
    • Password: Enter the password
  5. Click Apply.

Disable the Windows sign-in method

  1. In the Status column, click Edit for Windows.
  2. Make sure the Enable Windows Sign In check box is not checked, and then click Apply.

Step four: Configure the printer policies and permissions for specific print features

The following instructions provide information on how to configure access restrictions for user types, access types, and sign-in methods.
note:
By default, all print features for Guest are set to Access Granted and User are set to Full Access, which do not require a sign-in method. Sign-in is not required unless the sign-in method is changed in the Sign-In Method column from Use Default to one of the three sign-in methods (Local Device, LDAP, or Windows).
  1. Determine the appropriate level of access for a Guest.
    • Access Granted: Allows a Guest to use the specified print feature without signing in
    • Requires Sign In: Requires a Guest to sign in to use the specified print feature
      1. To control access to all print features, click the check box under Guest. The check boxes are now set to (Requires Sign In) to use the print features.
        -OR-
      2. To control access to a specific print feature, click the check box in the Guest column that is to the right of the print feature. The print feature is now set to (Requires Sign In).
  2. Determine the level of access for a User.
    • Full Access: Allows a User to use the specified print feature without signing in
    • Access Denied: Color print features are not available for Guests or Users
    1. To disable all print features, click the check box under User. The check boxes are now set to (Access Denied). If a print feature is set to (Access Denied) in the User column, the access in the Guest column automatically changes to (Requires Sign In).
      -OR-
    2. To disable a specific print feature, click the check box in the User column that is to the right of the print feature. The print feature is now set to (Access Denied). If a print feature is set to Access Denied in the User column, the access in the Guest column automatically changes to (Requires Sign In).
  3. Determine the Sign-In Method for print features for walk-up users at the printer’s control panel.
    note:
    By default, the Sign-In Method is set as Local Device; however, this does not require sign in to use a print feature unless the sign-in method is changed for the specific print feature from Use Default to Local Device.
  4. To allow users to sign-in using an alternate method, click the Allow users to choose alternate sign-in methods check box. If the Allow users to choose alternate sign-in methods check box is not checked, alternate sign-in methods are unavailable.

Step five: Save the configured Access Control settings

  1. At the bottom of the Access Control page, click Apply to save the configured settings.

Additional support options

Try one of our automated tools or diagnostics
Ask a question on our HP Support Community page
Get in touch with one of our support agents

Enter a topic to search our knowledge library

What can we help you with?