I hope I am MIS-understanding the "design" of IPrint regarding rights.
Please help clarify something for me.

Existing structure:
40 Netware 6.5 servers (one per location) running SP1 with IPrint installed
and functioning (not an easy task, thanks).
70% of workstations are Win98 running NWClient 3.1 SP3 / 30% are WinXP
running NWClient 4.83 SP1
Queue-based with "default rights" meaning users can delete their own print
jobs - no one elses'. IPrint/NDPS is
installed, but not being used as of yet.

Desired Direction:
Migrating to IPrint-based printing. I made a promise to management of the
school district that with my new IPrint
implementation that anyone would be able to delete anyones' print job (a
management "demand" in approving the request - - not my
idea of smart, but required by them none-the-less). This came about because
students were printing "junk" and
teachers could not delete jobs and needed to call our Help Desk to get jobs
cleaned out of queues).

My plan was to use IManager to grant the "Print Operator" assignment to the
"top of the EDIR tree" for each
IPrint printer (and all future printers) so all current (and future)
employees were "Print Operators" and therefore can delete
print jobs regardless of their location in the OU structure and regardless
if they CREATED the print job or not. Teachers (or staff) would go to the
http://mycompany.com/ipp site for us, click on the "information-little-i"
icon, choose "job list" and delete/hold as desired.

I am shocked (and disappointed) to discover this does not appear possible
without making every printer "high security"
and therefore requiring AUTHENTICATION and SSL ENCRYPTION. What???????!!!
Why are printer rights
"tied" to RE-authenticaion and data encryption???? They are two totally
different goals and standards in my mind. Testing so far indicates
that I can assign "Print Operator" in "Access Control" in IManager to
whomever , but it is totally ignored until I make
the printer "high security". Something about Novell using LDAP instead of
EDIR as the authentication method
(ahem... why?!?... my EDIR is your flagship authentication mega-master
directory -- can we USE IT please? And since my
users have already authenticated to Novell to login can we USE that
authentication (silently) as well please?)

One suggestion might be make all printers "high security" and use
NetIdentity Agent, but we are a ZEN customer
and ***Novell*** NetIdentity does not work with ***Novell*** Workstation
Manager from what I understand. Sigh.....

Tell me I am missing something here. I cannot believe this is the mess I
am left with - - I must be wrong somewhere
along the line.

Thanks for any input / solutions / or confirmation-of-the-madness any of you
can provide.