Home » Ricoh Manuals » Printers » Ricoh InfoPrint Pro C900AFP » Manual Viewer

Ricoh InfoPrint Pro C900AFP InfoPrint Manager - Page 49

Security groups, helpdesk, Important, acl_admin, Administrator, myuserid, admin, Job Ticketer

Get Ricoh InfoPrint Pro C900AFP PDF manuals and user guides

View all Ricoh InfoPrint Pro C900AFP manuals

Add to My Manuals
Save this manual to your list of manuals

Page 49 highlights

Security groups No matter what size organization you work in, manually adding every user to every ACL can be a time-consuming process. To reduce some of the work, you can create security groups, groups of users who need to have the same levels of permission for the same objects. You use the name of the security group like a user ID; instead of adding each user ID to an ACL, you add the group name. For example, if you want all of your help desk operators to be able to perform the same operations, create a group and name it helpdesk. Then, add helpdesk to the appropriate ACLs. Important: All fields, such as User IDs, group names, hostnames, and DNS suffixes, are case sensitive. When you install InfoPrint Manager, three security groups are created by default: v acl_admin- Users who have authority to manage security by changing access control lists and groups. The default members are Administrator@* and the user who was logged on when InfoPrint Manager was installed (for example, myuserid@*). v admin- Users who have administrator authority. The default members are Administrator@* and the user who was logged on when InfoPrint Manager was installed (for example, myuserid@*). v oper- Users who have operator authority. The default member is Administrator@*. Note: 1. If you have installed InfoPrint Job Ticketer as part of the Print-on-Demand feature, the Job Ticketer group is created. Unlike the other groups, there are no default users created during installation. See InfoPrint Job Ticketer: Administrator's Guide for more information. 2. You can modify these groups as needed. In the example above, you could have simply added the help desk operators to the default oper group and modified any permissions that weren't set to the level that you wanted them. 3. The default group members contain the wildcard character (*) for greater flexibility. See below for more information about wildcarding. If you do not want the Administrator user on other systems to be able to administer InfoPrint Manager, replace the * with the explicit address of the system that the InfoPrint Manager server is installed on, for example [email protected]. You can add users to multiple groups, but you cannot make one group a member of another group. For example, if you hire five new print operators, you might create a group for them called trainees, since you only want them to have limited permissions until they are finished with their training. When they finish their training, you cannot add trainees as a member of the operators group. You will have to add their user IDs to the operators group one at a time. In addition, you will have to either delete the trainees group or delete the members from it- otherwise those users will have conflicting levels of permission. When users are members of more than one group and each group has a different level of permission for a particular object, the most restrictive permission applies. In the example above, if you forgot to remove the new employees from the trainees group at the end of their training, they wouldn't be able to perform the tasks their job required- they would still be restricted. Chapter 7. Managing security 31

Section	Page
Contents	5
Figures	11
Tables	13
About this publication	15
The InfoPrint publication library	15
InfoPrint Manager common publication library	15
InfoPrint Manager for AIX publication library	16
InfoPrint Manager for Windows publication library	16
Related information	17
Part 1. Administrative Procedures: Configuring InfoPrint Manager	19
Chapter 1. Using Multiple Network Adapter Cards	21
Chapter 2. Selecting a type of actual destination	23
PC-based applications or a host system using IP Printway	23
MVS Download, DPF, or a combination of PC-based applications and host systems	24
PSF attachment types	25
Chapter 3. Managed IPDS Dialog support	27
Enabling MID support	27
Considerations to activate MID support	27
Chapter 4. Using the Internet Printing Protocol (IPP) with InfoPrint Manager	29
Printing to an IPP-enabled printer	29
Printing through the IPP Gateway	29
Chapter 5. Configuring media	31
Determining the media that are in the servers	31
Using the InfoPrint Manager Administration Interface	31
Creating a media object	31
Using the InfoPrint Manager Administration Interface	31
Viewing or changing attributes of a medium	32
Using the InfoPrint Manager Administration Interface	32
Associating a medium with an actual destination	32
Using the InfoPrint Manager Administration Interface	32
Chapter 6. Using InfoPrint Manager notifications	33
Understanding notification profiles	33
Event identifiers	34
Delivery method and delivery address	34
Working with Select notifications	36
Using the 'exit' delivery method	38
Default notification profiles	38
Using notification profiles with default jobs	40
Changing notification profiles	40
For jobs, default jobs, servers, queues, and actual destinations	40
For logical destinations	41
Viewing an existing notification profile	41
Adding or modifying events or users in a notification profile	42
Example	43
Removing users from a notification profile	43
Example	44
Changing the delivery method	44
Example	44
Getting help for notification messages	45
Other notification methods	45
Notify-operator attribute	45
Chapter 7. Managing security	47
Types of permission	47
Security groups	49
Identifying users and groups: wildcarding	50
Working with ACLs and groups	50
Chapter 8. Customizing error logs in the InfoPrint Manager Windows server	51
Customizing an InfoPrint Manager server error log	51
Customizing a Notification server error log	52
Chapter 9. Monitoring disk use	55
Adjusting your server notification profile for disk usage	56
Disks monitored by InfoPrint Manager	56
Chapter 10. Administering your InfoPrint Manager server using a Windows Terminal Server client	57
Installing the Windows Terminal Server client	57
Chapter 11. Changing the server hostname and IP address	59
Changing the server hostname and IP address	59
Changing the hostname of a non-namespace server	60
Changing only the server IP address	61
Chapter 12. Setting up your InfoPrint Manager server to use resources on a different Windows system	63
Giving InfoPrint Manager access to remote resources	63
Using Windows 2000/2003	63
Preparing for shared resources with MVS Download	65
Telling InfoPrint Manager where your remote resources are located	65
Chapter 13. Working with SNMP printers	67
SNMP support	67
About SNMP communication	67
Smart-defaulting actual destination attributes	67
Detecting, reporting, and recovering from printer problems	68
Accessing device information	69
Changing device information	70
Setting up and using SNMP	71
Determining if a printer works with SNMP	71
Using the InfoPrint Manager Administration Interface	72
Procedures	72
Effects on performance with SNMP	73
Server start-up	73
Actual destination queries	73
SNMP polling	74
Chapter 14. Creating and managing resource-context objects	75
The search order for AFP resources	76
CMRs and data objects search order	78
The search order for CMRs	78
The search order for data objects	78
Reuse of CMRs and data objects across printer jobs	79
File extensions for resources	80
Processing resources installed with Resource Access Tables	82
Creating a new resource-context object	82
Changing a directory path for a resource-context object	83
Chapter 15. Using PSF DSS user-exit programs	85
Supported types of PSF DSS user-exits	85
Sample PSF DSS user-exit programs	86
Creating and using your own PSF DSS user-exit programs	88
Compiling and installing the user-exit program	88
Activating the user-exit program	88
User-exit program structures	89
Common input and output fields	90
The header page and trailer page user-exit programs	93
The separator page user-exit program	93
Accounting, post-print accounting, and audit user-exit program inputs and outputs	94
Fields that provide information for accounting, audit, and post-print accounting user-exit programs	95
Input data user-exit program inputs and outputs	97
Ouput data user-exit program inputs and outputs	99
Structure of a user-exit program	100
User-exit programs for the line data transform	100
apka2e	101
asciinp.c	101
asciinpe.c	101
Input record exit	102
Output record exit	104
Resource exit	105
Non-zero return codes	107
Attributes of the line data input file	107
Using the uconv command to convert coded character sets	108
Chapter 16. Creating and managing auxiliary sheets and PSF DSS user-exit programs	111
Preparing to work with auxiliary sheets	111
Terms relating to auxiliary sheets	111
InfoPrint default auxiliary-sheet objects	112
Examples of Brief-Style and Full-Style Auxiliary Sheets	114
Sequence of user-exit programs	117
Directory locations of user-exit programs supplied with InfoPrint Manager	117
Creating and configuring auxiliary sheet objects	119
Creating new auxiliary-sheet objects using the pdcreate command	119
Associating auxiliary-sheet objects with PSF printers	120
Activating auxiliary sheets for accounting or audit information	120
Associating the post-print accounting user-exit program with an actual destination	120
Associating an input data user-exit program with an actual destination	121
Associating an output data user-exit program with an actual destination	121
Using Interrupt Message Pages	121
Activating IMPs	122
Chapter 17. Gathering accounting and audit data about print jobs	125
Working with InfoPrint Manager server accounting information	125
How does the pdaccount command collect InfoPrint Manager accounting information?	125
How do you manage the InfoPrint Manager accounting logs?	129
Usage considerations by DSS for accounting information	130
Working with PSF accounting, post-print accounting, and audit data about the job	133
What do the accounting, post-print accounting, and audit PSF DSS user exits provide?	133
How do you format accounting, post-print accounting, and audit data for viewing?	135
How do you manage the contents of the data files?	136
Chapter 18. Using the InfoPrint Manager line printer daemon (LPD)	137
Chapter 19. Using the InfoPrint Manager System Migration (ISMU) Utility	139
Supported operating environments	139
Prerequisites	140
Migrating your InfoPrint Manager settings	140
Automatic process	140
Automatic tasks during migration	141
Manual process	142
Specific tasks during migration	142
Chapter 20. Setting up interoperating environments	149
Understanding interoperating environments	149
Reasons for setting up an interoperating environment	149
Multiserver configuration examples	150
Important issues in interoperating environments	150
Setting up a print environment with multiple Windows servers	151
Configuration example	152
Configuring for interoperability between an InfoPrint AIX server and an InfoPrint Windows server	154
Setting up the InfoPrint AIX server for interoperability	154
Starting NFS and connecting the AIX secondary server	154
Adding users to and modifying permissions for FST security groups	155
Setting up the ipwinadmin id on a Windows 2000/2003 domain controller	155
Creating the 'ntuser' ID on the InfoPrint AIX server	156
Ensuring correct AIX file permissions for interoperability	156
Configure Windows servers for interoperability	157
Installing MS Services for UNIX on the InfoPrint Windows servers	157
Setting up the common account for InfoPrint Windows servers on a 2000/2003 domain controller	157
Grant appropriate user rights to the domain user on all InfoPrint Manager Windows 2000/2003 servers	158
Configuring the NFS client to access the namespace	158
Verifying access to the AIX namespace that allows interoperability on Windows 2000/2003	159
Configuring the 'ntuser' ID for interoperability on the InfoPrint Windows servers	160
Verifying the authority of the ipwinadmin ID	160
Part 2. Administrative Procedures: Configuring for Host Printing	163
Chapter 21. Setting up to use MVS Download	165
Configuring MVS Download	165
Setting up a default MVS Download configuration	166
Creating an MVS Download Receiver for a default configuration	166
Understanding and using the MVS Download destination control file	167
Types of control statements	169
Syntax of control statements	170
Changing the sample DCF	173
Changing the sample DCF advanced information	175
Understanding the MVS Download Exit Program	177
Using the sample MVS Download exit program	178
Customizing the sample exit program	178
Creating an MVS Download Receiver	179
Making your AFP resources available to InfoPrint Manager	182
Manually transfer the resources from the host to your Windows system	182
Store your resources in a central location	182
Move the resources using MVS Download	183
Submitting multiple data set jobs	185
Requirements to use multiple data set support	185
Installing multiple data set support with MVS Download	186
Installing multiple data set support with AFP Download Plus	187
Limitations of multiple data set support	187
Technical description of multiple data set support	188
Displaying the page count for your MVS Download jobs	188
Performance considerations with the Direct Download method	189
Chapter 22. Using the Distributed Print Facility (DPF)	191
Part 3. Administrative Procedures: Customizing for Special Jobs	193
Chapter 23. Working with transforms	195
Customizing the PCL, PostScript, and PDF transforms	196
Sample configuration file	196
Daemon configuration files	197
Hierarchy of transform options	197
Stapling and punch options available from the ps2afp transform	197
Specifying finishing in the ps2afpd.cfg file	198
Staple and punch operations supported by the ps2afp transform	199
Collate options available from the ps2afp transform	202
Customizing the img2afp transform	202
Limitations of the img2afp transform	204
Examples	204
Customizing the TIFF, JPEG, and GIF transforms	205
Sample configuration file	205
Hierarchy of transform options	205
Working with the transform for line data	206
What is line data?	206
What are ANSI and machine carriage controls?	207
ANSI carriage control characters	207
Machine carriage control characters	208
What are variable-length and fixed-length files?	208
Variable-length and fixed-length files	209
Fixed-length files	209
How does the imageout keyword affect processing?	209
Customizing the line data transform	210
Working with the transform for double byte text streams	211
What are DBCS ASCII and EUC?	211
What font resources are needed to print DBCS ASCII and EUC?	212
Determining what code page your print jobs use and setting the correct environment variable	212
Working with the InfoPrint PPML transform program	213
Customizing the PPML transform	214
Sample PPML configuration file	214
Hierarchy of PPML transform options	214
Working with the XML transforms	215
Using the XML transforms with InfoPrint Manager	215
How do the XML transforms work?	216
Running the XML transforms	217
Capabilities and limitations	217
General capabilities and limitations for transforming all data	217
Capabilities and limitations for transforming data to AFP	217
Capabilities for transforming data to PDF	219
Customizing the XML transforms	219
Common customization tasks	219
Color management resource transform support	222
Submitting job using transforms for color management	222
Chapter 24. Understanding transforms and the configurable transform subsystem	225
Defining a transform sequence	226
Configuring transforms	227
Creating transforms	227
Associating a transform with an actual destination	231
Examples of creating transform objects	232
Creating a transform object to copy to a file without printing	232
Creating a transform object to convert data and print only smaller files	234
Creating a transform object that updates the job's page count	236
Using the transform_update utility	237
Netware.exe	238
Using the Netware print program	239
Chapter 25. Color and grayscale printing using AFP	241
InfoPrint AFP color and grayscale solutions	241
Color printing concepts	242
Color spaces and ICC profiles	242
Gamut and rendering intent	244
Color mixing and calibration	244
Halftones and tone transfer curves	245
File size	245
Grayscale printing concepts	246
Color management	247
ICC profiles	247
Rendering intents	248
Paper characteristics	249
AFP color management	249
Color management resources	249
Types of CMRs	250
CMR processing modes	254
CMR creation and installation	255
Data objects	256
Types of data objects	256
Data object creation and installation	257
Resource library management	258
Tips and best practices	259
Tips for images	259
Tips for resources	259
InfoPrint AFP color and grayscale products	260
Printers	260
InfoPrint 5000	261
InfoPrint 4100	261
InfoPrint 1xxx series	262
InfoPrint AFP Resource Installer	262
Print servers	263
InfoPrint Manager	263
InfoPrint ProcessDirector	263
AFP color solution scenarios	264
Printing high-quality grayscale output on an InfoPrint 4100 printer	264
Replacing pre-printed forms	266
Eliminating physical inserts	269
Related publications	270
Chapter 26. Working with fonts	273
Fonts for printing transformed PostScript and PDF data	273
Font mapping files	273
Creating a PostScript font mapping file	273
Using font-mapping files with the ps2afp or pdf2afp command	274
Specifying font substitution through initialization files	275
Using OpenType Fonts	275
Using the Resource Installer to install OpenType fonts	276
Using font capture with OpenType fonts	277
Enabling font capture for inline fonts	277
Using multiple fonts with limited printer memory	277
Using Unicode extended code pages	278
Updating the global search path on an InfoPrint Manager Windows server	278
Using OpenType fonts with line data	279
Limitations when printing line data with OpenType fonts	279
Line data using OpenType fonts supports using the Byte Order Mark (BOM) and little endian data	279
Fonts for printing DBCS ASCII and EUC	280
Fonts required to print a double-byte transformed file	280
Installing DBCS fonts on Windows	281
Setting up font resources for DBCS ASCII and EUC printing	281
Printing Japanese DBCS fonts at the end of a job	281
Fonts for printing line data	281
Printing with the DBCS Simulation Fonts with the font metric adjustment triplet	283
Chapter 27. Working with global resource identifiers	285
Uses of GRID files	285
GRID files that come with InfoPrint Manager	285
InfoPrint search order for GRID files	287
Understanding the general syntax rules and allowable values for GRID files	287
Syntax rules that apply to all types of GRID files	287
Allowable values for the charset.grd file	288
Allowable values for the codepage.grd file	288
Allowable values for the fgid.grd file	288
Allowable values for the cpgid.grd file	289
Modifying GRID files	289
Modifying the charset and codepage GRID files	289
Modifying the FGID and CPGID GRID files	290
Verifying the GRID files	291
Preventing InfoPrint from using GRID files	292
Using the 'no resident' version of the sample grid files	292
Chapter 28. Generating and submitting color mapping table source and output files	293
Parts of a color mapping table	293
Using source groups	293
Using target groups	294
Creating a color mapping table	295
Submitting jobs using a Color Mapping Table	297
Submitting jobs through the Windows command line	297
Configuring an actual destination with the InfoPrint Manager Administration GUI	297
Using the InfoPrint Select client with Color Mapping Tables	299
Chapter 29. Configuring the Halftone Management System	301
Limitations of actual screen frequencies and angles on InfoPrint 4000 and 4100 printers	301
Starting the Halftone Management System	302
Calibrating a densitometer	303
Calibrating a printer using the Halftone Management System	304
Defining InfoPrint Manager servers to the Halftone Management System client	304
Defining custom patch sets	304
Calibrating a halftone	305
Measuring optical density with a densitometer	308
Specifying a halftone for printing on the InfoPrint Manager server	308
Printing from InfoPrint Submit Express	308
Printing from the command line	309
Chapter 30. Submitting specialized print jobs	311
Submitting PSF printer input to a PCL or PPDS printer	311
Setting up PCL tray mappings	311
Printing PCL or PostScript to PSF destinations: specifying which paper bin to use	313
Determining bin mappings	314
PCL printing	314
PostScript printing	316
Editing configuration files	320
Creating a transform with bin mappings	320
Sending print jobs to InfoPrint Manager for Windows from an AIX system	321
Verify that the InfoPrint Manager LPD is running	322
Install and configure lprafp	323
Printing from ERP applications	323
Submitting ERP print jobs from a Windows system	323
Defining the Windows gateway printer	323
Adding the Windows gateway printer to the system you want to print from	324
Chapter 31. Configuring the InfoPrint 5000 Models AD1/AD2, AD3/AD4, AD3/AD4-XR3, AS1, AS3, KM3, KM3/MD4, MD3/MD4, VP V5/V6, a	325
Printing PDF and PostScript files on the InfoPrint 5000 printer Models AD1/AD2, AD3/AD4, AD3/AD4-XR3, AS1, AS3, KM3, KM3/MD4,	325
Running scripts before printing PDF and PostScript files	325
Part 4. Operator and User Procedures	327
Chapter 32. Setting up finishing options for specific printers	329
Setting up finishing options for IPDS-only printers	329
Telling InfoPrint Manager what options the finisher supports	329
Setting up InfoPrint Manager and clients to use finishing options	329
Using the pdpr command	329
Using a form definition	330
Using InfoPrint Submit Express	330
Using InfoPrint Select	330
Using a Windows gateway printer or the IPP gateway	331
Using MVS Download	331
Using InfoPrint Manager hot folders	332
Using InfoPrint Manager LPD and an LPR client	332
Selecting the correct finishing options	332
Paper fed LEF	332
Paper fed SEF	334
Staple positions for InfoPrint 2060ES, InfoPrint 2075ES, InfoPrint 2090ES, InfoPrint 2190, InfoPrint 2210, and InfoPrint 2235	335
Staple positions for InfoPrint 2105ES	336
Setting up finishing options for PS/PCL printers	336
Telling InfoPrint Manager what options the finisher supports	336
Setting up InfoPrint Manager and clients to use finishing options	337
Using the pdpr command	337
Using a form definition	337
Using InfoPrint Submit Express	338
Using InfoPrint Select	338
Using a Windows gateway printer or the IPP gateway	339
Using MVS Download	339
Using InfoPrint Manager hot folders	339
Using InfoPrint Manager LPD and an LPR client	340
Selecting the correct finishing options	340
Paper fed LEF	340
Paper fed SEF	340
Staple positions for InfoPrint 2085 and InfoPrint 2105	341
Staple positions for InfoPrint 2060ES, InfoPrint 2075ES, and InfoPrint 2090ES	341
Staple positions for InfoPrint 2105ES	342
Working with the InfoPrint Pro C900AFP finishing options	342
Working with punch options	342
Loading paper trays	343
Using output bins	344
Working with the binding options	344
Chapter 33. Setting up high speed printers for spacing	345
Enabling SNMP on an InfoPrint 2000 for AFP printing	345
Enabling SNMP on an InfoPrint 3000 or an InfoPrint 4000 printer that uses the operator console	345
Enabling SNMP on a printer that uses the Enhanced Operator Console	346
Chapter 34. General Operator and User Procedures	347
Turning duplexing on and off for the InfoPrint 45 and InfoPrint 70	347
Deleting orphan files and resubmitting jobs to MVS Download	348
Deleting orphaned files from the system	348
Resubmitting jobs	348
Using a Windows gateway printer	349
Adding a Windows gateway printer to a workstation	349
Adding an Internet Printing Protocol (IPP) gateway printer to your desktop	350
Submitting jobs through InfoPrint Manager hot folders	350
Mapping a network drive	350
Submitting jobs through a hot folder	351
Specifying job attributes	351
Staging jobs	351
Submitting multiple-document jobs	352
Submitting print jobs through the InfoPrint Manager LPD	352
Install and configure lprafp for Windows from the Web	353
Preparing to submit print jobs	353
Submitting print jobs	354
Checking job status	354
Checking status using notifications	354
Checking status from the Printers window	354
Interrupting and restarting a job that is currently printing on an InfoPrint 4000/4100	354
Interrupting a job that is currently printing	355
Restarting the interrupted job	355
Stopping, restarting, or pausing a job that is currently printing	356
Stopping the job	356
Restarting the job	356
Pausing a job that's printing	359
Pausing a job that's printing	359
Pausing and restarting an actual destination	359
Pausing an actual destination	359
Resuming the actual destination	360
Moving backward or forward in a job that is currently printing	360
Spacing a printer	360
Stopping a printer to perform scheduled maintenance	362
Fixing a printer problem and starting to print again	362
Try this first	362
Fixing more complicated problems	363
Restarting the job that was printing when the problem occurred	364
Using the correct halftones for the installed toner version	366
Part 5. Appendixes	367
Appendix A. IPDS print operator commands	369
Appendix B. IPDS error recovery	373
IPDS error recovery: Data stream errors	373
Data stream error example 1 (job continues printing):	374
Data stream error example 2 (job is terminated, no pages print):	374
Data stream error example 3 (job is terminated; some pages print):	375
IPDS error recovery: Insufficient memory in the printer	375
Insufficient memory in the printer exmple:	376
IPDS error recovery: Intervention required conditions	376
Example:	376
IPDS error recovery: Unrecoverable problems	377
Unrecoverable problem example:	377
Appendix C. Supported formatting objects	379
Appendix D. Accessibility	385
Notices	387
Trademarks	388
Glossary	391
Index	415
Special characters	415
A	415
B	415
C	416
D	416
E	417
F	417
G	418
H	418
I	418
J	419
K	419
L	419
M	419
N	420

Match case Limit results 1 per page

Security groups

No matter what size organization you work in, manually adding every user to

every ACL can be a time-consuming process. To reduce some of the work, you can

create

security groups

, groups of users who need to have the same levels of

permission for the same objects. You use the name of the security group like a user

ID; instead of adding each user ID to an ACL, you add the group name. For

example, if you want all of your help desk operators to be able to perform the

same operations, create a group and name it

helpdesk

. Then, add

helpdesk

to the

appropriate ACLs.

Important:

All fields, such as User IDs, group names, hostnames, and DNS

suffixes, are case sensitive.

When you install InfoPrint Manager, three security groups are created by default:

acl_admin

- Users who have authority to manage security by changing access

control lists and groups. The default members are

Administrator

@* and the user

who was logged on when InfoPrint Manager was installed (for example,

myuserid@*

admin-

Users who have administrator authority. The default members are

Administrator

@* and the user who was logged on when InfoPrint Manager was

installed (for example,

myuserid@*

oper-

Users who have operator authority. The default member is

Administrator@*

Note:

If you have installed InfoPrint Job Ticketer as part of the Print-on-Demand

feature, the

Job Ticketer

group is created. Unlike the other groups, there are

no default users created during installation. See

InfoPrint Job Ticketer:

Administrator's Guide

for more information.

You can modify these groups as needed. In the example above, you could

have simply added the help desk operators to the default

oper

group and

modified any permissions that weren't set to the level that you wanted them.

The default group members contain the wildcard character (*) for greater

flexibility. See below for more information about wildcarding. If you do not

want the Administrator user on other systems to be able to administer

InfoPrint Manager, replace the * with the explicit address of the system that

the InfoPrint Manager server is installed on, for example

[email protected]

You can add users to multiple groups, but you cannot make one group a member

of another group. For example, if you hire five new print operators, you might

create a group for them called

trainees

, since you only want them to have limited

permissions until they are finished with their training. When they finish their

training, you cannot add

trainees

as a member of the

operators

group. You will

have to add their user IDs to the operators group one at a time. In addition, you

will have to either delete the

trainees

group or delete the members from it—

otherwise those users will have conflicting levels of permission.

When users are members of more than one group and each group has a different

level of permission for a particular object, the most restrictive permission applies.

In the example above, if you forgot to remove the new employees from the

trainees

group at the end of their training, they wouldn't be able to perform the

tasks their job required- they would still be restricted.

Chapter 7. Managing security