Map the Permissions to the Roles Specified in the OIDC Identity Provider¶
In the configuration of the seal-rest service, you map the permissions for printers and jobs to the roles specified in the OIDC identity provider. The specific permissions depend on the OIDC client. The following OIDC clients are available in connection with PLOSSYS Output Engine:
-
seal-plossysadminfor PLOSSYS Administrator -
seal-plossysclifor PLOSSYS CLI -
seal-easyprimafor easyPRIMA -
seal-mobile_printfor PLOSSYS Mobile Client (former PLOSSYS DocPrint)
In the OIDC identity provider, roles are configured to which the users will be assigned. For example, in the preconfigured Keycloak from SEAL Systems, admin, readonly and custom are available as roles and used in the examples below.
The mapping of the permissions and the roles is specified as JSON object with the following key:
ALLOWED_OIDC_CLIENTS: Mapping of permissions to roles specified in the OIDC identity provider
Available Keys and Values¶
{
"<oidc-client>": {
"roles": {
"<role-specified-in-oidc>": {
"areas": {
"jobs": {
"set-<name>": {
"views": [<job-view>],
"permissions": [<job-permissions>]
}
}
"printers": {
"set-a": {
"views": [<printer-view>],
"permissions": [<printer-permissions>]
}
}
}
}
}
}
}
<oidc-client>¶
On the top level of the JSON object, you specify the OIDC client. For available value, refer to the list above.
<role-specified-in-oidc>¶
Within roles, you specify the names of the roles specified in the OIDC identity provider. For example, in the preconfigured Keycloak from SEAL Systems, admin, readonly and custom are available as roles.
areas¶
Within a role, jobs and printers are available as areas. For the seal-plossysadmin client, the dashboard area is available.
set-<name>¶
Within a jobs or printers area, a view of the items (printers or jobs) and the correspondent permissions are combined to a set. The name of the set has to start with set-. The rest of the set name is arbitrary.
views¶
Within views, you specify the selection of items (jobs or printers) to which the permissions specified with permissions apply. ["ALL"] stands for all items, [] stands for none of them.
With combining the struct, value and operator keys, you specify which items belong to the selection.
With struct, you specify the property of the item which is checked against the value using the operator. As property, you can use all properties of the database object representing the printer or the job. A printer property is, for example, config.printer, config.server or current.printerName. A job property is, for example, orig.userName, current.userName or status.
Hint - database object examples
For examples of database objects for a job and a printer, refer to Example of a Job's Database Object and Example of a Printer's Database Object
The following values are available for operator:
-
"eq"for an exact matching betweenvalueandstruct.Example - exact matching for all jobs belonging to the user who has been logged on to PLOSSYS Administrator
"views": [ { "struct": "current.userName", "value": "%CURRENT_USER%", "operator": "eq" } -
"neq"negation ofeq.Example - exact matching for all printers not named 'niceprinter'
"views": [ { "struct": "config.printer", "value": "niceprinter", "operator": "neq" } -
"wildcard"for a wildcard matching betweenvalueandstruct. For this,valuecan contain*.Example - wildcard matching for all printers whose names start with
roe"views": [ { "struct": "config.printer", "value": "roe*", "operator": "wildcard" } -
"notWildcard"negation ofwildcard.Example - notWildcard matching for all printers whose names do not start with
roe"views": [ { "struct": "config.printer", "value": "roe*", "operator": "notWildcard" } -
"regex"for a regex matching betweenvalueandstruct. An arbitrary regular expression can be used invalue. The regular expression can be notated as a simple string (bla.+blubb) or - if flags are necessary - with/(/bla.+blubb/i).Example - regex matching for all printers whose names start with
roe(caseinsensitive) followed be2or3"views": [ { "struct": "config.printer", "value": "/^roe[2|3].*/i", "operator": "regex" } -
"notRegex"negation ofregex.Example - regex matching for all printers whose names do not start with
roe(caseinsensitive) followed be2or3"views": [ { "struct": "config.printer", "value": "/^roe[2|3].*/i", "operator": "notRegex" }
permissions¶
Within permissions, you specify the permissions which apply to the selection of items specified with views. Multiple permissions are separated by comma, ["<permission-1>","<permission-2>",...,"<permission-n>"]. ["ALL"] stands for all permissions, [] stands for none of them.
The following specific permissions are available for printers (<printer-permissions>):
"add"for adding printers"checkPhysical"for receiving the device status of an IPP printer"createTestJob"for creating test jobs to the printers"delete"for deleting printers"deleteMessage"for deleting notes at the printers"logs"for viewing the logs of a printer"pause"for pausing printers"redirect"for redirecting printers"resume"for resuming paused printers"setMessage"for writing notes at the printers"update"for updating the printer configuration. Theupdatepermission is needed for easyPRIMA for changing the printer configuration but is irrelevant for PLOSSYS Administrator.
The following specific permissions are available for jobs (<job-permissions>):
"cancel"for canceling jobs"collect"for collecting job files"delete"for deleting jobs"move"for moving the jobs to other printers"pause"for pausing the jobs"preview"for previewing the jobs"repeat"for repeating jobs"resume"for resuming paused jobs"tempfiles"for including the temporary files when collecting the job data
Mapping Examples¶
Here, you find some commonly used examples for the permission mapping.
Example - admin role with full access in PLOSSYS Administrator and all permissions for importing printers from easyPRIMA to PLOSSYS Output Engine
{
"seal-plossysadmin": {
"roles": {
"admin": {
"areas": {
"dashboard": {},
"jobs": {
"set-a": {
"views": ["ALL"],
"permissions": ["ALL"]
}
},
"printers": {
"set-a": {
"views": ["ALL"],
"permissions": ["ALL"]
}
}
}
}
}
},
"seal-easyprima": {
"roles": {
"admin": {
"areas": {
"printers": {
"set-a": {
"views": ["ALL"],
"permissions": ["ALL"]
}
}
}
}
}
}
}
Example - readonly role which can view all jobs but is not allowed to manage them
{
"seal-plossysadmin": {
"roles": {
"readonly": {
"areas": {
"jobs": {
"set-view-all": {
"permissions": [],
"views": ["ALL"]
}
}
}
}
}
}
}
Example - roeprinters role which can only view and manage printers whose names start with roe
{
"seal-plossysadmin": {
"roles": {
"roeprinters": {
"areas": {
"dashboard": {},
"jobs": {},
"printers": {
"set-roe-printers": {
"views": [
{
"struct": "config.printer",
"value": "roe*",
"operator": "wildcard"
}
],
"permissions": [ "ALL" ]
}
}
}
}
}
}
}
Example - onlymyjobs role which can only view and manage own jobs but does not see any printer
{
"seal-plossysadmin": {
"roles": {
"onlymyjobs": {
"areas": {
"dashboard": {},
"jobs": {
"set-own-jobs": {
"views": [
{
"struct": "current.userName",
"value": "%CURRENT_USER%",
"operator": "eq"
}
],
"permissions": [ "ALL" ]
}
},
"printers": {}
}
}
}
}
}
Example - ownjobsprinters role which can view and manage particular printers and jobs on these printers
{
"seal-plossysadmin": {
"roles": {
"ownjobsprinters": {
"areas": {
"dashboard": {},
"jobs": {
"set-jobs-on-my-printers": {
"views": [
{
"struct": "current.printerName",
"value": "%ALLOWED_PRINTER_NAMES%",
"operator": "eq"
}
],
"permissions": [ "ALL" ]
}
},
"printers": {
"set-my-printers": {
"views": [
{
"struct": "config.location",
"value": "Timbuktu",
"operator": "eq"
}
],
"permissions": ["ALL"]
}
}
}
}
}
}
}
Hint - complex JSON object
The value of ALLOWED_OIDC_CLIENTS is a complex JSON object, thus it is advised to read it from a file via PLOSSYS CLI. Additionally, the value of ALLOWED_OIDC_CLIENTS is then checked for JSON conformity. You can also generate a template for the JSON object via PLOSSYS CLI.