administeringlabeled printing This chapter describes how to use Solaris Trusted Extensions software to configure labeled printing. It also describes how to configure print jobs without the labeling options.Labels, Printers, and Printing Managing Printing in Trusted Extensions (Task Map) Configuring Labeled Printing (Task Map) Reducing Printing Restrictions in Trusted Extensions (Task Map) printingmanaging usersaccessing printers usersprinting accessingprinters Trusted Extensions software uses labels to control printer access. Labels are used to control access to printers and to information about queued print jobs. The software also labels printed output. Body pages are labeled, and mandatory banner and trailer pages are labeled. Banner and trailer pages can also include handling instructions.System Administrator roleadministering printersSecurity Administrator roleadministering printer securityThe system administrator handles basic printer administration. The security administrator role manages printer security, which includes labels and how the labeled output is handled. The administrators follow basic Solaris printer administration procedures, then they assign labels to the print servers and printers.Trusted Extensions software supports both single-level and multilevel printing. Multilevel printing is implemented in the global zone only. To use the global zone's print server, a labeled zone must have a host name that is different from the global zone. One way to obtain a distinct host name is to assign an IP address to the labeled zone. The address would be distinct from the global zone's IP address.restrictingprinter access with labels restrictingaccess to printers with labels Users and roles on a system that is configured with Trusted Extensions software create print jobs at the label of their session. The print jobs can print only on printers that recognize that label. The label must be in the printer's label range.Users and roles can view print jobs whose label is the same as the label of the session. In the global zone, a role can view jobs whose labels are dominated by the label of the zone.Printers that are configured with Trusted Extensions software print labels on the printer output. Printers that are managed by unlabeled print servers do not print labels on the printer output. Such printers have the same label as their unlabeled server. For example, a Solaris print server can be assigned an arbitrary label in the tnrhdb database of the LDAP naming service. Users can then print jobs at that arbitrary label on the Solaris printer. As with Trusted Extensions printers, those Solaris printers can only accept print jobs from users who are working at the label that has been assigned to the print server. labelson printer output label_encodings filereference for labeled printing /usr/lib/lp/postscript/tsol_separator.ps filelabeling printer output files/usr/lib/lp/postscript/tsol_separator.ps tsol_separator.ps filecustomizing labeled printing security informationon printer output Trusted Extensions prints security information on body pages and banner and trailer pages. The information comes from the label_encodings file and from the tsol_separator.ps file.The security administrator can do the following to modify defaults that set labels and add handling instructions to printer output:Localize or customize the text on the banner and trailer pages Specify alternate labels to be printed on body pages or in the various fields of the banner and trailer pages Change or omit any of the text or labels The security administrator can also configure user accounts to use printers that do not print labels on the output. Users can also be authorized to selectively not print banners or labels on printer output.body pagesdescription of labeled labeled printingbody pages By default, the “Protect As” classification is printed at the top and bottom of every body page. The “Protect As” classification is the dominant classification when the classification from the job's label is compared to the minimum protect as classification. The minimum protect as classification is defined in the label_encodings file.For example, if the user is logged in to an Internal Use Only session, then the user's print jobs are at that label. If the minimum protect as classification in the label_encodings file is Public, then the Internal Use Only label is printed on the body pages.

Illustration shows a sample banner page with the label printed at the top and bottom of the page.

banner pagesdescription of labeled labeled printingbanner pages The following figures show a default banner page and how the default trailer page differs. Callouts identify the various sections. Note that the trailer page uses a different outer line.The text, labels, and warnings that appear on print jobs are configurable. The text can also be replaced with text in another language for localization.

banner pagestypical Illustration shows a banner page with job number, classifications, and handling instructions.

banner pagesdifference from trailer page Illustration shows that the trailer page reads JOB END, while the banner page reads JOB START at the bottom of the page.

localizingchanging labeled printer outputprintinglocalizing labeled outputprintinginternationalizing labeled outputprintingconfiguring labels and textprintingin local languagetsol_separator.ps fileconfigurable valuesThe following table shows aspects of trusted printing that the security administrator can change by modifying the /usr/lib/lp/postscript/tsol_separator.ps file.To localize or internationalize the printed output, see the comments in the tsol_separator.ps file. Output Default Value How Defined To Change PRINTER BANNERS /Caveats Job_Caveats /Caveats Job_Caveats See Specifying Printer Banners in Solaris Trusted Extensions Label Administration. CHANNELS /Channels Job_Channels /Channels Job_Channels See Specifying Channels in Solaris Trusted Extensions Label Administration. Label at the top of banner and trailer pages /HeadLabel Job_Protect def See /PageLabel description. The same as changing /PageLabel..Also see Specifying the Protect As Classification in Solaris Trusted Extensions Label Administration. Label at the top and bottom of body pages /PageLabel Job_Protect def Compares the label of the job to the minimum protect as classification in the label_encodings file. Prints the more dominant classification. Contains compartments if the print job's label has compartments. Change the /PageLabel definition to specify another value.Or, type a string of your choosing.Or, print nothing at all. Text and label in the “Protect as” classification statement /Protect Job_Protect def/Protect_Text1 () def/Protect_Text2 () def See /PageLabel description.Text to appear above label.Text to appear below label. The same as changing /PageLabel.Replace () in Protect_Text1 and Protect_Text2 with text string. printingPostScript restrictions in Trusted Extensions PostScript printing restrictions in Trusted Extensions authorizationsPrint Postscript Print PostScript authorization Labeled printing in Trusted Extensions relies on features from Solaris printing. In the Solaris OS, printer model scripts handle banner page creation. To implement labeling, a printer model script first converts the print job to a PostScript file. Then, the PostScript file is manipulated to insert labels on body pages, and to create banner and trailer pages.Solaris printer model scripts can also translate PostScript into the native language of a printer. If a printer accepts PostScript input, then Solaris software sends the job to the printer. If a printer does not accept PostScript input, then the software converts the PostScript format to a raster image. The raster image is then converted to the appropriate printer format.Because PostScript software is used to print label information, users cannot print PostScript files by default. This restriction prevents a knowledgeable PostScript programmer from creating a PostScript file that modifies the labels on the printer output.Security Administrator roleadministering PostScript restrictionThe Security Administrator role can override this restriction by assigning the Print PostScript authorization to role accounts and to trustworthy users. The authorization is assigned only if the account can be trusted not to spoof the labels on printer output. Also, allowing a user to print PostScript files must be consistent with the site's security policy.printingmodel scripts A printer model script enables a particular model of printer to provide banner and trailer pages. Trusted Extensions provides four scripts:tsol_standard - For directly attached PostScript printers, for example, printers attached by a parallel port tsol_netstandard - For network–accessible PostScript printers tsol_standard_foomatic - For directly attached printers that do not print PostScript format tsol_netstandard_foomatic - For network–accessible printers that do not print PostScript format The foomatic scripts are used when a printer driver name begins with Foomatic. Foomatic drivers are PostScript Printer Drivers (PPD). By default, “Use PPD” is specified in the Print Manager when you add a printer. A PPD is then used to translate banner and trailer pages into the language of the printer. printingadding conversion filters A conversion filter converts text files to PostScript format. The filter's programs are trusted programs that are run by the printer daemon. Files that are converted to PostScript format by any installed filter program can be trusted to have authentic labels and banner and trailer page text.System Administrator roleadding print conversion filtersSolaris software provides most conversion filters that a site needs. A site's System Administrator role can install additional filters. These filters can then be trusted to have authentic labels, and banner and trailer pages. To add conversion filters, see Chapter 7, Customizing Printing Services and Printers (Tasks), in System Administration Guide: Solaris Printing. administeringprinting interoperability with Trusted Solaris 8 printinginteroperability with Trusted Solaris 8 interoperabilityTrusted Solaris 8 and printing Trusted Solaris 8 and Trusted Extensions systems that have compatible label_encodings files and that identify each other as using a CIPSO template can use each other for remote printing. The following table describes how to set up the systems to enable printing. By default, users cannot list or cancel print jobs on a remote print server of the other OS. Optionally, you can authorize users to do so.Originating System Print Server System Action Results Trusted Extensions Trusted Solaris 8 Configure printing – In the Trusted Extensions tnrhdb, assign a template with the appropriate label range to the Trusted Solaris 8 print server. The label could be CIPSO or unlabeled. Trusted Solaris 8 printer can print jobs from a Trusted Extensions system within the printer's label range. Trusted Extensions Trusted Solaris 8 Authorize users – On the Trusted Extensions system, create a profile that adds the needed authorizations. Assign the profile to users. Trusted Extensions users can list or cancel print jobs that they send to a Trusted Solaris 8 printer.Users cannot view or remove jobs at a different label. Trusted Solaris 8 Trusted Extensions Configure printing – In the Trusted Solaris 8 tnrhdb, assign a template with the appropriate label range to the Trusted Extensions print server. The label could be CIPSO or unlabeled. Trusted Extensions printer can print jobs from a Trusted Solaris 8 system within the printer's label range. Trusted Solaris 8 Trusted Extensions Authorize users – On the Trusted Solaris 8 system, create a profile that adds the needed authorizations. Assign the profile to users. Trusted Solaris 8 users can list or cancel print jobs that they send to a Trusted Extensions printer.Users cannot view or remove jobs at a different label. The following user commands are extended to conform with Trusted Extensions security policy:cancel – The caller must be equal to the label of the print job to cancel a job. By default, regular users can cancel only their own jobs. lp – Trusted Extensions adds the o nolabels option. Users must be authorized to print with no labels. Similarly, users must be authorized to use the o nobanner option. lpstat – The caller must be equal to the label of the print job to obtain the status of a job. By default, regular users can view only their own print jobs. The following administrative commands are extended to conform with Trusted Extensions security policy. As in the Solaris OS, these commands can only be run by a role that includes the Printer Management rights profile.lpmove – The caller must be equal to the label of the print job to move a job. By default, regular users can move only their own print jobs. lpadmin – In the global zone, this command works for all jobs. In a labeled zone, the caller must dominate the print job's label to view a job, and be equal to change a job.Trusted Extensions adds printer model scripts to the m option. Trusted Extensions adds the o nolabels option. lpsched – In the global zone, this command is always successful. As in the Solaris OS, use the svcadm command to enable, disable, start, or restart the print service. In a labeled zone, the caller must be equal to the label of the print service to change the print service. For details about the service management facility, see the smf5, svcadm1M, and svcs1 man pages. Trusted Extensions adds the solaris.label.print authorization to the Printer Management rights profile. The solaris.print.unlabeled authorization is required to print body pages without labels. tasks and task mapsManaging Printing in Trusted Extensions (Task Map) administeringprinting in Trusted Extensions Managing Printing in Trusted Extensions (Task Map) Trusted Extensions procedures for configuring printing are performed after completing Solaris printer setup. The following task map points to the major tasks that manage labeled printing.Task Description For Instructions Configure printers for labeled output. Enables users to print to a Trusted Extensions printer. The print jobs are marked with labels. Configuring Labeled Printing (Task Map) Remove visible labels from printer output. Enables users to print at a specific label to a Solaris printer. The print jobs are not marked with labels.Or, prevents labels from printing on a Trusted Extensions printer. Reducing Printing Restrictions in Trusted Extensions (Task Map) configuringlabeled printing tasks and task mapsConfiguring Labeled Printing (Task Map) Configuring Labeled Printing (Task Map) The following task map describes common configuration procedures that are related to labeled printing.Printer clients can only print jobs within the label range of the Trusted Extensions print server. Task Description For Instructions Start the Print Manager. Uses a GUI to identify the printer to the network or to the local system. The system administrator starts the GUI in an administrative role workspace. Chapter 4, Setting Up Printers (Tasks), in System Administration Guide: Solaris Printing Configure printing from the global zone. Creates a multilevel print server in the global zone. How to Configure a Multilevel Print Server and Its Printers Configure printing from a labeled zone. Creates a single–label print server for a labeled zone. How to Configure a Zone for Single-Label Printing Configure a multilevel print client. Connects a Trusted Extensions host to a printer. How to Enable a Trusted Extensions Client to Access a Printer Restrict the label range of a printer. Limits a Trusted Extensions printer to a narrow label range. How to Configure a Restricted Label Range for a Printer printingconfiguring for multilevel labeled output multilevel printingconfiguring Trusted Network Zones toolconfiguring a multilevel print server Printers that are managed by a Trusted Extensions print server print labels on body pages, banner pages, and trailer pages. Such printers can print jobs within the label range of the print server. Any Trusted Extensions host that can reach the print server can use the printers that are connected to that server. Determine the print server for your Trusted Extensions network. You must be in the System Administrator role in the global zone on this print server. Start the Solaris Management Console.For details, see How to Administer the Local System With the Solaris Management Console. Choose the Files toolbox.The title of the toolbox includes Scope=Files, Policy=TSOL. Enable multilevel printing by configuring the global zone with the print server port, 515/tcp.Create a multilevel port (MLP) for the print server by adding the port to the global zone.Navigate to the Trusted Network Zones tool. In the Multilevel Ports for Zone's IP Addresses, add 515/tcp. Click OK. Define the characteristics of the connected printers.Start the Print Manager. Define the make and model of a connected printer.In the Print Manager, you supply the values for the first two fields, then the Print Manager supplies the driver name. Printer Make manufacturer Printer Model manufacturer-part-number Printer Driver automatically filled in Assign a printer model script to each printer that is connected to the print server.The model script activates the banner and trailer pages for the specified printer.For your choice of scripts, see Printer Model Scripts. If the driver name for the printer starts with Foomatic, then specify one of the foomatic model scripts. Use the following command:$ lpadmin -p printer -m modelIf the default printer label range of ADMIN_LOW to ADMIN_HIGH is acceptable for every printer, then your label configuration is done. Limit printer label range – How to Configure a Restricted Label Range for a Printer Prevent labeled output – Reducing Printing Restrictions in Trusted Extensions (Task Map) Use this zone as a print server – How to Enable a Trusted Extensions Client to Access a Printer Finish printer setup – Chapter 4, Setting Up Printers (Tasks), in System Administration Guide: Solaris Printing printingconfiguring labeled zone single-label printingconfiguring for a zone The zone must not be sharing an IP address with the global zone. You must be in the System Administrator role in the global zone. Add a workspace.For details, see How to Add a Workspace at a Particular Label in Solaris Trusted Extensions User’s Guide. Change the label of the new workspace to the label of the zone that will be the print server for that label.For details, see How to Change the Label of a Workspace in Solaris Trusted Extensions User’s Guide. Define the characteristics of the connected printers.At the label of zone, start the Print Manager.By default, the “Use PPD” checkbox is selected. The system finds the appropriate driver for the printer. To specify a different printer driver, do the following:Remove the check from “Use PPD”. Define the make and model of the printer that uses a different driver.In the Print Manager, you supply the values for the first two fields, then the Print Manager supplies the driver name. Printer Make manufacturer Printer Model manufacturer-part-number Printer Driver automatically filled in Assign a printer model script to each printer that is connected to the zone.The model script activates the banner and trailer pages for the specified printer.For your choices of scripts, see Printer Model Scripts. If the driver name for the printer starts with Foomatic, then specify one of the foomatic model scripts. Use the following command:$ lpadmin -p printer -m modelThe attached printers can print jobs only at the label of the zone. Prevent labeled output – Reducing Printing Restrictions in Trusted Extensions (Task Map) Use this zone as a print server – How to Enable a Trusted Extensions Client to Access a Printer Finish printer setup – Chapter 4, Setting Up Printers (Tasks), in System Administration Guide: Solaris Printing printingconfiguring for print client multilevel printingaccessing by print client Initially, only the zone in which a print server was configured can print to the printers of that print server. The system administrator must explicitly add access to those printers for other zones and systems. The possibilities are as follows:For a global zone, add access to the printers that are connected to a global zone on a different system. For a labeled zone, add access to the printers that are connected to the global zone of its system. For a labeled zone, add access to a printer that a remote zone at the same label is configured for. For a labeled zone, add access to the printers that are connected to a global zone on a different system. A print server has been configured with a label range or a single label, and the printers that are connected to it have been configured. For details, see the following:How to Configure a Multilevel Print Server and Its Printers How to Configure a Zone for Single-Label Printing How to Assign a Label to an Unlabeled Print Server You must be in the System Administrator role in the global zone, or be able to assume the role. Complete the procedures that enable your systems to access a printer.To use the Print Manager instead of the lpadmin command, see Example 21–1.Configure the global zone on a system that is not a print server to use another system's global zone for printer access.On the system that does not have printer access, assume the System Administrator role. Add access to the printer that is connected to the Trusted Extensions print server.$ lpadmin -s printer Configure a labeled zone to use its global zone for printer access.Change the label of the role workspace to the label of the labeled zone.For details, see How to Change the Label of a Workspace in Solaris Trusted Extensions User’s Guide. Add access to the printer.$ lpadmin -s printer Configure a labeled zone to use another system's labeled zone for printer access.The labels of the zones must be identical.On the system that does not have printer access, assume the System Administrator role. Change the label of the role workspace to the label of the labeled zone. Add access to the printer that is connected to the print server of the remote labeled zone.lpadmin -s printer Configure a labeled zone to use an unlabeled print server for printer access.The label of the zone must be identical to the label of the print server.On the system that does not have printer access, assume the System Administrator role. Change the label of the role workspace to the label of the labeled zone.For details, see How to Change the Label of a Workspace in Solaris Trusted Extensions User’s Guide. Add access to the printer that is connected to the arbitrarily labeled print server.$ lpadmin -s printer Rather than run the lpadmin command, choose the Printers –> Add Access to Printer from the Print Manager. The Print Manager must be started in the same zone at the same label as the lpadmin -s  printer command. restrictingprinter label range label rangesrestricting printer label range printingrestricting label range The default printer label range is ADMIN_LOW to ADMIN_HIGH. This procedure narrows the label range for a printer that is controlled by a Trusted Extensions print server. You must be in the Security Administrator role in the global zone. Start the Device Allocation Manager.Choose the Allocate Device option from the Trusted Path menu. In Trusted CDE, launch the Device Allocation Manager action from the Tools subpanel on the Front Panel. Click the Device Administration button to display the Device Allocation: Administration dialog box. Type a name for the new printer.If the printer is attached to your system, find the name of the printer. Click the Configure button to display the Device Allocation: Configuration dialog box. Change the printer's label range.Click the Min Label button to change the minimum label.Choose a label from the label builder. For information about the label builder, see Label Builder in Trusted Extensions. Click the Max Label button to change the maximum label. Save the changes.Click OK in the Configuration dialog box. Click OK in the Administration dialog box. Close the Device Allocation Manager. administeringunlabeled printing authorizingunlabeled printing authorizingPostScript printing unlabeled printingconfiguring customizingunlabeled printing tasks and task mapsReducing Printing Restrictions in Trusted Extensions (Task Map) Reducing Printing Restrictions in Trusted Extensions (Task Map) The following tasks are optional. They reduce the printing security that Trusted Extensions provides by default when the software is installed.Task Description For Instructions Configure a printer to not label output. Prevents security information from printing on body pages, and removes banner and trailer pages. How to Remove Labels From Printed Output Configure printers at a single label without labeled output. Enables users to print at a specific label to a Solaris printer. The print jobs are not marked with labels. How to Assign a Label to an Unlabeled Print Server Remove visible labeling of body pages. Modifies the tsol_separator.ps file to prevent labeled body pages on all print jobs that are sent from a Trusted Extensions host. How to Remove Page Labels From All Print Jobs Suppress banner and trailer pages. Authorizes specific users to print jobs without banner and trailer pages. How to Suppress Banner and Trailer Pages for Specific Users Enable trusted users to print jobs without labels. Authorizes specific users or all users of a particular system to print jobs without labels. How to Enable Specific Users to Suppress Page Labels Enable the printing of PostScript files. Authorizes specific users or all users of a particular system to print PostScript files. How to Enable Users to Print PostScript Files in Trusted Extensions Assign printing authorizations. Enables users to bypass default printing restrictions. How to Create a Rights Profile for Convenient AuthorizationsHow to Modify policy.conf Defaults printingpreventing labels on output removinglabels on printer output Printers that do not have a Trusted Extensions printer model script do not print labeled banner or trailer pages. The body pages also do not include labels. You must be in the Security Administrator role in the global zone. At the appropriate label, do one of the following:From the print server, stop banner printing altogether.% lpadmin -p printer -o nobanner=neverBody pages are still labeled. Set the printer model script to a Solaris script.% lpadmin -p printer \ -m { standard | netstandard | standard_foomatic | netstandard_foomatic }No labels appear on printed output. printingusing a Solaris print server printinglabeling a Solaris print server A Solaris print server is an unlabeled print server that can be assigned a label for Trusted Extensions access to the printer at that label. Printers that are connected to an unlabeled print server can print jobs only at the label that has been assigned to the print server. Jobs print without labels or trailer pages and might print without banner pages. If a job prints with a banner page, the page does not contain any security information.A Trusted Extensions system can be configured to submit jobs to a printer that is managed by an unlabeled print server. Users can print jobs on the unlabeled printer at the label that the security administrator assigns to the print server. You must be in the Security Administrator role in the global zone. Open the Solaris Management Console in the appropriate scope.For details, see Initialize the Solaris Management Console Server in Trusted Extensions. Under System Configuration, navigate to the Computers and Networks tool.Provide a password when prompted. Assign an unlabeled template to the print server.For details, see How to Assign a Security Template to a Host or a Group of Hosts.Choose a label. Users who are working at that label can send print jobs to the Solaris printer at the label of the print server. Pages do not print with labels, and banner and trailer pages are also not part of the print job. printingconfiguring public print jobs printingpublic jobs from a Solaris print server Files that are available to the general public are suitable for printing to an unlabeled printer. In this example, marketing writers need to produce documents that do not have labels printed on the top and bottom of the pages.The security administrator assigns an unlabeled host type template to the Solaris print server. The template is described in Example 19–6. The arbitrary label of the template is PUBLIC. The printer pr-nolabel1 is connected to this print server. Print jobs from users in a PUBLIC zone print on the pr-nolabel1 printer with no labels. Depending on the settings for the printer, the jobs might or might not have banner pages. The banner pages do not contain security information. printingwithout page labels labelsprinting without page labels body pagesunlabeled for all users system filesTrusted Extensions tsol_separator.ps This procedure prevents all print jobs on a Trusted Extensions printer from including visible labels on the body pages of the print job. You must be in the Security Administrator role in the global zone. Edit the /usr/lib/lp/postscript/tsol_separator.ps file.Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions. Find the definition of /PageLabel.Find the following lines:%% To eliminate page labels completely, change this line to %% set the page label to an empty string: /PageLabel () def /PageLabel Job_PageLabel defThe value Job_PageLabel might be different at your site. Replace the value of /PageLabel with a set of empty parentheses./PageLabel () def body pagesunlabeled for specific users This procedure enables an authorized user or role to print jobs on a Trusted Extensions printer without labels on the top and bottom of each body page. Page labels are suppressed for all labels at which the user can work. You must be in the Security Administrator role in the global zone. Determine who is permitted to print jobs without page labels. Authorize those users and roles to print jobs without page labels.Assign a rights profile that includes the Print without Label authorization to those users and roles. For details, see How to Create a Rights Profile for Convenient Authorizations. Instruct the user or role to use the lp command to submit print jobs:% lp -o nolabels staff.mtg.notes banner pagesprinting without labels labeled printingwithout banner page printingwithout labeled banners and trailers solaris.print.nobanner authorization Print without Banner authorization authorizationssolaris.print.nobanner o nobanner option to lp command actionsPrint Manager Print Manager actionAlways Print Banner checkbox Always Print Banner checkbox The Always Print Banner checkbox in the Print Manager dialog box does not contain a checkmark. Window part shows the Always Print Banner without a checkmark. You must be in the Security Administrator role in the global zone. Create a rights profile that includes the Print without Banner authorization.Assign the profile to each user or role that is allowed to print without banner and trailer pages.For details, see How to Create a Rights Profile for Convenient Authorizations. Instruct the user or role to use the lp command to submit print jobs:% lp -o nobanner staff.mtg.notes administeringPostScript printing filesPostScript PostScriptenabling to print labeled printingPostScript files printingPostScript files solaris.print.ps authorization Print PostScript authorization authorizationssolaris.print.ps authorizationsPrint PostScript You must be in the Security Administrator role in the global zone. Use one of the following three methods to enable users to print PostScript files:files/etc/default/print/etc/default/print filesystem filesSolaris /etc/default/printTo enable PostScript printing on a system, modify the /etc/default/print file.Create or modify the /etc/default/print file.Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions. Type the following entry:PRINT_POSTSCRIPT=1 Save the file and close the editor. files/etc/security/policy.conf/etc/security/policy.conf fileenabling PostScript printingsystem filesSolaris policy.confTo authorize all users to print PostScript files from a system, modify the /etc/security/policy.conf file.Modify the policy.conf file.Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions. Add the solaris.print.ps authorization.AUTHS_GRANTED=other-authorizations,solaris.print.ps Save the file and close the editor. To enable a user or role to print PostScript files from any system, give just those users and roles the appropriate authorization.Assign a profile that includes the Print PostScript authorization to those users and roles. For details, see How to Create a Rights Profile for Convenient Authorizations. In the following example, the security administrator has constrained a public kiosk to operate at the PUBLIC label. The system also has a few icons that open topics of interest. These topics can be printed.The security administrator creates an /etc/default/print file on the system. The file has one entry to enable the printing of PostScript files. No user needs a Print PostScript authorization.# vi /etc/default/print # PRINT_POSTSCRIPT=0 PRINT_POSTSCRIPT=1