Skip to content

Map the Permissions to the Roles Specified in the OIDC Identity Provider


In the configuration of the seal-rest service, you map the permissions for printers and jobs to the roles specified in the OIDC identity provider. The specific permissions depend on the OIDC client. The following OIDC clients are available in connection with PLOSSYS 5:

  • seal-plossysadmin for PLOSSYS Administrator

  • seal-plossyscli for PLOSSYS CLI

  • seal-easyprima for easyPRIMA

  • seal-mobile_print for PLOSSYS DocPrint

In the OIDC identity provider, roles are configured to which the users will be assigned. For example, in the preconfigured Keycloak from SEAL Systems, admin, readonly and custom are available as roles and used in the examples below.

The mapping of the permissions and the roles is specified as JSON object with the following key:


Available Keys and Values

{
  "<oidc-client>": {
    "roles": {
      "<role-specified-in-oidc>": {
        "areas": {
          "jobs": {
            "set-<name>": {
              "views": [<job-view>],
              "permissions": [<job-permissions>]
            }
          }
          "printers": {
            "set-a": {
              "views": [<printer-view>],
              "permissions": [<printer-permissions>]
            }
          }
        }
      }
    }
  }
}

<oidc-client>

On the top level of the JSON object, you specify the OIDC client. For available value, refer to the list above.

<role-specified-in-oidc>

Within roles, you specify the names of the roles specified in the OIDC identity provider. For example, in the preconfigured Keycloak from SEAL Systems, admin, readonly and custom are available as roles.

areas

Within a role, jobs and printers are available as areas. For the seal-plossysadmin client, the dashboard area is available.

set-<name>

Within a jobs or printers area, a view of the items (printers or jobs) and the correspondent permissions are combined to a set. The name of the set has to start with set-. The rest of the set name is arbitrary.

views

Within views, you specify the selection of items (jobs or printers) to which the permissions specified with permissions apply. ["ALL"] stands for all items, [] stands for none of them.

With combining the struct, value and operator keys, you specify which items belong to the selection.

With struct, you specify the property of the item which is checked against the value using the operator. As property, you can use all properties of the database object representing the printer or the job. A printer property is, for example, config.printer, config.server or current.printerName. A job property is, for example, orig.userName, current.userName or status.

Hint - database object examples

For examples of database objects for a job and a printer, refer to Example of a Job's Database Object and Example of a Printer's Database Object

The following values are available for operator:

  • "eq" for an exact matching between value and struct.

    Example - exact matching for all jobs belonging to the user who has been logged on to PLOSSYS Administrator

    "views": [
      {
        "struct": "current.userName",
        "value": "%CURRENT_USER%",
        "operator": "eq"
      }
    
  • "wildcard" for a wildcard matching between value and struct. For this, value may contain *.

    Example - wildcard matching for all printers whose names start with roe

    "views": [
      {
         "struct": "config.printer",
         "value": "roe*",
         "operator": "wildcard"
      }
    

permissions

Within permissions, you specify the permissions which apply to the selection of items specified with views. Multiple permissions are separated by comma, ["<permission-1>","<permission-2>",...,"<permission-n>"]. ["ALL"] stands for all permissions, [] stands for none of them.

The following specific permissions are available for printers (<printer-permissions>):

  • "add" for adding printers
  • "createTestJob" for creating test jobs to the printers
  • "delete" for deleting printers
  • "deleteMessage" for deleting notes at the printers
  • "setMessage" for writing notes at the printers
  • "pause" for pausing printers
  • "redirect" for redirecting printers
  • "resume" for resuming paused printers
  • "update" for updating the printer configuration. The update permission is needed for easyPRIMA for changing the printer configuration but is irrelevant for PLOSSYS Administrator.
  • "checkPhysical" for receiving the device status of an IPP printer
  • "logs" for viewing the logs of a printer

The following specific permissions are available for jobs (<job-permissions>):

  • "cancel" for canceling jobs
  • "delete" for deleting jobs
  • "move" for moving the jobs to other printers
  • "pause" for pausing the jobs
  • "repeat" for repeating jobs
  • "resume" for resuming paused jobs
  • "tempfiles" for including the temporary files when collecting the job data
  • "collect" for collecting job files
  • "logs" for viewing the logs of a job

Mapping Examples

Here, you find some commonly used examples for the permission mapping.

Example - admin role with full access in PLOSSYS Administrator and all permissions for importing printers from easyPRIMA to PLOSSYS 5

{
  "seal-plossysadmin": {
    "roles": {
      "admin": {
        "areas": {
          "dashboard": {},
          "jobs": {
            "set-a": {
              "views": ["ALL"],
              "permissions": ["ALL"]
            }
          },
          "printers": {
            "set-a": {
              "views": ["ALL"],
              "permissions": ["ALL"]
            }
          }
        }
      }
    }
  },
  "seal-easyprima": {
    "roles": {
      "admin": {
        "areas": {
          "printers": {
            "set-a": {
              "views": ["ALL"],
              "permissions": ["ALL"]
            }
          }
        }
      }
    }
  }
}

Example - readonly role which may view all jobs but is not allowed to manage them

{
  "seal-plossysadmin": {
    "roles": {
      "readonly": {
        "areas": {
          "jobs": {
            "set-view-all": {
              "permissions": [],
              "views": ["ALL"]
            }
          }
        }
      }
    }
  }
}

Example - roeprinters role which may only view and manage printers whose names start with roe

{
  "seal-plossysadmin": {
    "roles": {
      "roeprinters": {
        "areas": {
          "dashboard": {},
          "jobs": {},
          "printers": {
            "set-roe-printers": {
              "views": [
                {
                   "struct": "config.printer",
                   "value": "roe*",
                   "operator": "wildcard"
                }
              ],
              "permissions": [ "ALL" ]
            }
          }
        }
      }
    }
  }
}

Example - onlymyjobs role which may only view and manage own jobs but does not see any printer

{
  "seal-plossysadmin": {
    "roles": {
      "onlymyjobs": {
        "areas": {
          "dashboard": {},
          "jobs": {
            "set-own-jobs": {
              "views": [
                {
                  "struct": "current.userName",
                  "value": "%CURRENT_USER%",
                  "operator": "eq"
                }
              ],
              "permissions": [ "ALL" ]
            }
          },
          "printers": {}
        }
      }
    }
  }
}

Example - ownjobsprinters role which may view and manage particular printers and jobs on these printers

{
  "seal-plossysadmin": {
    "roles": {
      "ownjobsprinters": {
        "areas": {
          "dashboard": {},
          "jobs": {
            "set-jobs-on-my-printers": {
              "views": [
                {
                  "struct": "current.printerName",
                  "value": "%ALLOWED_PRINTER_NAMES%",
                  "operator": "eq"
                }
              ],
              "permissions": [ "ALL" ]
            }
          },
          "printers": {
            "set-my-printers": {
              "views": [
                {
                  "struct": "config.location",
                  "value": "Timbuktu",
                  "operator": "eq"
                }
              ],
              "permissions": ["ALL"]
            }
          }
        }
      }
    }
  }
}

Hint - complex JSON object

Due to the value of ALLOWED_OIDC_CLIENTS is a complex JSON object, it is reasonable to read it from a file via PLOSSYS CLI. Additionally, the value of ALLOWED_OIDC_CLIENTS is then checked for JSON conformity. You can also generate a template for the JSON object via PLOSSYS CLI.


Back to top