Internal users (users managed by PaperCut NG/MF)

Internal users are user accounts that exist only inside PaperCut NG/MF and are independent of the domain, network or operating system. Internal users are managed inside PaperCut NG/MF, which means you do not need to create or manage them in an external user directory.

There are several ways you can use this feature:

You can give selected staff the ability to create internal user accounts. This gives staff control over who can receive a new account, preventing the creation of unwanted accounts (e.g. with offensive usernames).
You can give users the ability to create their own internal accounts via a web based registration form. This is useful for providing guests the ability to register their own accounts and begin printing immediately, removing the need for staff intervention.
Administrators can create a new batch of internal users via a text based file import. You can use this file to import or update a set of users who are managed separately to the regular domain users. For more information about the internal users batch import and update feature, see Batch internal user import and update.

The following sections present several different environments and how you can use the internal users feature to accommodate them. For information about specific configuration, Internal users options provides full details about each available option.

IMPORTANT

Usernames are stored in PaperCut NG/MF as all lower case, regardless of the capitalization when the username is created. Entry of a username by an end user, however, is not case sensitive as it is converted to lowercase before the account is validated.

Implementation by example

Several examples are provided below demonstrating how the internal user feature can be applied.

IMPORTANT

In PaperCut NG/MF all internal usernames must only contain characters that can be printed (e.g. not newline) and must not contain /, \ or @.

Scenario One: Manually managed guest accounts

North Shore University has a campus that occasionally hosts students from other universities. These guest students do not have a login in the universities domain, and it is considered too much effort to go through "official channels" to create one for them.

The administrator wants to provide selected staff the ability to create PaperCut NG/MF accounts for these guest students as needed. To go about this, the administrator performs the following:

The guest students are first provided with access to computers or network resources using the generic login guest, password guest.
Click the Users tab.

The User List page is displayed.
Select the guest user.
In the Advanced Options area, select the Unauthenticated user (enable popup authenticationPopup authentication involves matching the source IP address of the print job with the user confirmed to be operating from the popup client IP address. Authentication is provided by the PaperCut NG client software in the form of a popup dialog requesting a username and password. To print with popup authentication the client software must be running on the workstations or laptops.) check box.
Click OK.
Select Options > User/Group Sync.

The User/Group Sync page is displayed.
In the Internal User Options area, select the Enable internal users check box.
In Access control, select Only admins can create users.
In Confirmation message, enter a tailored conformation message to provide relevant information, such as how to log in.
Click Apply.
PaperCut NG/MF administrator access is assigned to the staff who are responsible for creating the new student guest accounts. The administrator right Create internal users is required for this purpose. For more information about assigning administrator rights see Assign administrator level access.
Ensures that the PaperCut NG/MF client software is running on workstations where guest printing is allowed.

The system is now configured to allow selected staff the ability to create internal accounts for the guest students. When a guest student prints from the generic guest login, the PaperCut NG/MF User ClientThe User Client tool is an add-on that resides on a user's desktop. It allows users to view their current account balance via a popup window, provides users with the opportunity to confirm what they are about to print, allows users to select shared accounts via a popup, if administrators have granted access to this feature, and displays system messages, such as the "low credit" warning message or print policy popups. displays the authentication popup. This allows them to enter their personal username and password, assigned by the administrator when registering their internal user accountInternal users are user accounts that exist only inside PaperCut and are independent of the domain, network, or operating system. Internal user accounts can be self-registered, manually managed, or for non-domain Windows workgroups. Self-registered accounts are created by the user. These are suitable when there are a large number of guest users, for example, a public library. Manually managed accounts are created by the PaperCut administrator. These are suitable when there are only a small number of guest accounts and the administrator wants to control these accounts. Suitable in an environment with a small number of guests..

Staff can create an internal user account for a guest student as follows:

Click the Users tab.

The User List page is displayed.
In the Actions menu, click Create internal user.

The Create Internal User page is displayed.
Complete the details; then click Register.

Scenario Two: Automated guest management (self-registration)

West Face College is a large community college that regularly has members of the public visiting to use the library resources.

It is not feasible to create a domain login for every visitor, and manually creating an internal user account for each guest would require too much time of the administrators or staff, so the decision is made to automate the process and allow guests to register their own internal user accounts.

To set up the internal users feature and allow guest self-registration, the administrator performs the following:

The guests are first provided with access to computers or network resources using the generic login guest, password guest.
Click the Users tab.

The User List page is displayed.
Select the guest user.
In the Advanced Options area, select the Unauthenticated user (enable popup authentication) check box.
Click OK.
Select Options > User/Group Sync.

The User/Group Sync page is displayed.
In the Internal User Options area, select the Enable internal users check box.
In Access control, select Users can register their own account.
Select the Display registration links on login screens check box so that users have easy access to the registration interface.
In Link text, enter Guests click here to register, to provide a better clue for guests.
In Additional registration instructions, add more information about the organization's printing policy, how to access printing resources, etc. Also add a note to specify that only guests need to register to access printing resources - students or users with existing accounts do not need to register.
Click Apply.
Ensure that the PaperCut NG/MF client software is running on workstations where guest printing is allowed.
Creates an information sheet for guests, providing instructions about how to register, how to print, and where to find additional help. Most people do not need this type of information to work out how to use the system for themselves, but some people appreciate step-by-step instructions.

The system is now configured to allow guests to register their own internal user accounts. When a guest user prints from the generic guest login, the PaperCut NG/MF User Client displays the authentication popup. This allows them to enter their personal username and password, chosen when registering their internal user account.

For a guest to create an internal user account, they must:

Click the Register as a New User link on a login screen (the web interface login screen, or on the authentication popup), or access the registration web interface directly at http://[server-name]:9191/register.
Complete the from; then click Register.

Scenario Three: Managing users in a non-domain environment

Southmark Inc. is a medium sized ten person real estate office servicing their local area. Their network consists of a mix of Windows 7 and 8.1 workstations connected to a workgroup based network. No user directory / domain exists, and setting one up is not a current priority. They want to take control of their printing costs and volumes, and use PaperCut NG/MF to identify the amount of printing performed by each staff member.

Because no user directory exists, PaperCut NG/MF is used to maintain user accounts, details and passwords for all staff. To set this up, the administrator performs the following:

Select Options > User/Group Sync.

The User/Group Sync page is displayed.
In the Internal User Options area, select the Enable internal users check box.
In Prefix usernames with, delete the value. There is no need for an internal username prefix, because all users are internal!
Collect a chosen username and password from each staff member. This is used to construct a batch import file, using the format specified in Batch internal user import file format.
Import the batch file into PaperCut NG/MF using server-command to create a new internal user account for each staff member, following the directions in Batch internal user import and update.
Follow the directions in User Client to deploy the client software to each workstation in the office.
When staff send print jobs from their workstations, they arrive at the print serverA print server is a system responsible for hosting print queues and sharing printer resources to desktops. Users submit print jobs to a print server rather then directly to the printer itself. A print server can be a dedicated server but on many networks this server also performs other tasks, such as file serving under the generic guest username. The administrator marks this generic account as Unauthenticated using the PaperCut NG/MF Admin web interface. This option is available on the User Details page.

The batch of internal user accounts has now been imported, ready for the staff to use them. When a staff member next sends a print job, the PaperCut NG/MF User Client displays the authentication popup. This allows them to enter their personal username and password, provided to them on arrival, having been assigned by the administrator in the batch import file.

Internal user options

To configure internal users:

Select Options > User/Group Sync.

The User/Group Sync page is displayed.
In the Internal User Options area, click the Enable internal users check box.

The internal user options are displayed.
Complete the following fields as appropriate:
- Access control—determines who can create internal users. The available options are:
  - Users can register their own account—a web based interface is available for users to register their own account. This allows users to register their own accounts without intervention from staff or administrators.
  - Only admins can create users—only administrators can create users. Internal users are created in the Admin web interface under Users > Create Internal User. For information about delegating this access to additional users see Assign administrator level access.
- Display registration links on login screens - When enabled, PaperCut NG/MF login screens display a Register as a New User link. Clicking this link takes the user to the web based registration interface, allowing the user to create their own internal user account. If disabled, registration links are not displayed, and users can access the web based registration interface only by navigating to the URL at http://[server-name]:9191/register.
- Link text—The text used for registration links on login screens. The default link text is Register as a New User. An example of alternate link text might be Guests click here to register.
- Additional registration instructions—Allows providing additional instructions to users when registering, and are displayed above the web based registration form. Specific instructions will vary from site to site, but could include information such as how to log in and print, how to add credit to their account, or where to find additional help.
- User must enter an email address—Requires the user to enter an email address. If disabled, entering an email address is optional.
- Allow user to choose their own identity number—The user can enter/choose their own identity number. The chosen identity number must be at least 6 digits, and must be unique. If disabled, a unique identity number is automatically generated for the user. Use identity numbers for logging into some devices where only a numeric keypad is available.
- Allow user to choose their own ID PIN— The user can enter/choose their own ID PIN. The chosen PIN must be at least 4 digits. If disabled, a random PIN is automatically generated for the user.
- Prefix usernames with: (optional)—This prefix is applied to the username of all users registering via the web based interface. E.g. if a user chooses the name john, and the username prefix is guest-, their allocated username is guest-john. This prevents name clashes with existing or future users from the configured user/group sync source, and immediately identifies the user as being internal.
- Confirmation message—This message is displayed to the user after they have completed registration. It can also be emailed to the user (see next option).
- Also email confirmation message to user—The confirmation message is emailed to the user after registration (if an email address was provided).
Click OK.

NOTE

An alternative to the PaperCut NG/MF User Client's authentication popup is to use a print Release StationPrint Release Stations place a print job on hold and allow users to release it when required. Often a Release Station is a dedicated PC terminal located next to the printers, however, Release Stations can take other forms such as a web browser based interface. Some common examples where Release Stations can be used include secure printing, approved printing, and authentication. In a secure printing environment jobs are only printed when the user arrives at the print area and confirms his or her identity. This ensures the user is there to collect the job and other users can't "accidentally" collect the document. In some organizations it may be appropriate to hold jobs until they are approved by selected individuals. A good example would be a teacher approving printing on an expensive color printer. Hold/Release queues can be used as a form of authentication in an unauthenticated environment. Users must authenticate prior to releasing their jobs allowing PaperCut NG to confirm their identity. in Release Any mode. After ensuring that guest users have their own internal account, this allows users to submit a print job under a guest/generic login, then authenticate at the Release Station and choose which job(s) they want to release. For more information about setting up a Release Station see Secure print release.
To delete an internal user, navigate to their User Details page in the Admin web interface by clicking the user in the User List, then select the Delete user item from the Actions list. The domain/network-level Synchronize user and group details settings and operations do not affect and do not delete internal users.
The special [Internal Users] group contains all internal users. You can use it to produce reports showing information about internal users, or to apply a bulk user operation on all internal users.

Changing internal user passwords

Both internal users and administrators can change their own password.

Administrators can reset the password on the User Details page in the Admin web interface. In the Internal User Settings area, click the Change Password link.
The internal user can reset their password on the User Web pages by clicking Change Details.

TIP
Administrators can turn on or off the ability for internal users to change their password by using the Config EditorThe Config Editor stores information used by PaperCut to configure advanced options and functions. This information is stored in config keys, which are editable by an administrator. and modifying the key: internal-users.user-can-change-password

Batch internal user import and update

TIP

This section covers the batch importing and updating of internal users. Internal users are managed internally by PaperCut NG/MF. For more information about internal users, see Internal users (users managed by PaperCut NG/MF).

For information about importing and updating regular users, see Batch import and update user data.

The batch internal user import and update feature allows the administrator to import users, user information and optionally update existing internal user details by reading data from a simple text file. In addition to being able to create internal users, it enables administrators to update the following user data:

Password
Credit balance
Restriction status
Full name
Email address
Department
Office
Card/ID Number
Card/ID PIN
Notes
Secondary Card/ID Number
Home folder

IMPORTANT

You can delete an internal user by selecting the Delete user action while viewing the user. You can delete multiple users selecting Bulk user actions; then selecting all internal users.

Examples of where the batch user import feature is useful include:

Several guests to the organization are arriving at the same time and require their own accounts in PaperCut NG/MF.
A set of users needs to be managed separately / externally to the existing user directory source. For example, the users of a certain computer lab require their own accounts in PaperCut NG/MF, but it is not possible to create accounts for them in the existing user directory.
Details for existing internal users needs to be updated.

To perform a batch internal user import:

Manually inspect your file in a text editor and ensure it's in the prescribed tab-delimited format as detailed at Batch internal user import file format.
Follow the directions in Server commands (server-command) to run the server-command batch-import-internal-users.

For example, to import/update internal users from a file import.tsv on a Windows system:

C:\> cd "C:\Program Files\PaperCut NG/MF\server\bin\win"

server-command batch-import-internal-users "C:\extra users\import.tsv"

Note: Quote the import path if it contains spaces.

On a Mac OS X system:

mac-server:~ jason$ cd "/Applications/PaperCut NG/MF/server/bin/mac/"

mac-server:mac jason$ ./server-command batch-import-internal-users /path/to/the/file/import.tsv

If your import path has spaces, remember to escape them if you don't use quotes:

/path/to\ the\ file/import.tsv
The import process will start running in the background. See the App. Log tab in the Admin web interface to check the status of the import or if any errors were encountered.

CAUTION

Batch imports are a major operation, modifying data en masse. Best practice suggests:

Always run a backup before proceeding with the import.
First experiment/test the import process with a small batch of users before moving onto the full batch.

Batch internal user import file format

The import file is in tab delimited format and contains the following fields in the given order:

Internal User Import File Format
No.	Field	Description	Optional?	Limitations
1.	Username	The internal user's username. If the policy is to use a username prefix for internal users, include the prefix here (e.g. guest-user123).	Mandatory	Max. 50 characters
2.	Password	The user's password	Optional - although internal users cannot log in without a password
3.	Credit Balance	The user's credit balance	Optional - balance not set if blank	A number with no currency symbol or separators, using a full stop for the decimal separator. Correct: 1.23 Incorrect: $1.23 or 1,23 or 1,023.00
4.	Restricted Status	The user's restricted status. (Y/N)	Optional - restricted status not set if blank
5.	Full Name	The user's full name	Optional - full name not set if blank	Max. 255 characters
6.	Email	The user's email address	Optional - email not set if blank	Max. 255 characters
7.	Department	The user's department or faculty	Optional - department not set if blank	Max. 200 characters
8.	Office	The user's office or location	Optional - office not set if blank	Max. 200 characters
9.	Primary Card/ID Number	The user's primary identity/card number	Optional - card/id number not set if blank	Max. 200 characters, case insensitive
10.	Card/ID PIN	The user's card PIN number	Optional - card/id PIN not set if blank. If the field is '-' then the PIN is set to zero.	Max. 20 digits
11.	Notes	Notes about the user.	Optional - notes not set if blank	Max. 2000 characters
12.	Secondary Card/ID Number	The user's secondary identity/card number	Optional - card/id number not set if blank	Max. 100 characters, case insensitive
13.	Home folder	The user’s home folder	Optional - required for scanning to a user’s home folder.	Max. 256 characters

Other limitations: Although any actual limit to the size of an import file should be large enough for any purpose, we recommend keeping the file size below 10MB.

TIP

If an optional field is not specified in the import file then it is not updated. To remove or "blank out" an existing value, use a single "-" (hyphen / dash).
A simple way to create a tab delimited file is to create a spreadsheet in Microsoft Excel, then save it in the Text (Tab delimited) format.

For some examples of using tab-delimited files, see Import File Format Examples.