diff --git a/models/users.model b/models/users.model
index a3f4ba1bd..e4fe9d226 100644
--- a/models/users.model
+++ b/models/users.model
@@ -53,9 +53,9 @@ UserFunction -- Administratively assigned functions (lecturer, admin, evaluation
     deriving Generic
 UserSystemFunction
     user     UserId
-    function SystemFunction
-    manual   Bool
-    isOptOut Bool
+    function SystemFunction   -- Defined in Model.Types.User
+    manual   Bool             -- Inserted manually by Admin or automatic from LDAP
+    isOptOut Bool             -- User has currently deactivate the role for themselves
     UniqueUserSystemFunction user function
     deriving Generic
 UserExamOffice
diff --git a/routes b/routes
index 9c7b89ae8..d985255e4 100644
--- a/routes
+++ b/routes
@@ -9,6 +9,8 @@
 --
 --  Admins always have access to entities within their assigned schools.
 --
+--  Access tags are defined in Model.Types.Security
+-- 
 --  Access Tags:
 --    !free           -- free for all
 --    !lecturer       -- lecturer    for this course (or for any school, if route is not connected to a course)
diff --git a/src/Foundation/Authorization.hs b/src/Foundation/Authorization.hs
index 6df5f3417..f77635ce8 100644
--- a/src/Foundation/Authorization.hs
+++ b/src/Foundation/Authorization.hs
@@ -555,6 +555,15 @@ tagAccessPredicate AuthSystemExamOffice = cacheAPSystemFunction SystemExamOffice
       isExamOffice <- lift $ exists [UserSystemFunctionUser ==. authId, UserSystemFunctionFunction ==. SystemExamOffice, UserSystemFunctionIsOptOut ==. False]
       guardMExceptT isExamOffice $ unauthorizedI MsgUnauthorizedSystemExamOffice
       return Authorized
+tagAccessPredicate AuthSystemPrinter = cacheAPSystemFunction SystemPrinter (Just $ Right diffHour) $ \mAuthId' _ _ printerList -> if
+  | maybe True (`Set.notMember` printerList) mAuthId' -> Right $ if
+      | is _Nothing mAuthId' -> return AuthenticationRequired
+      | otherwise -> unauthorizedI MsgUnauthorizedSystemPrinter
+  | otherwise -> Left $ APDB $ \_ _ mAuthId _ _ -> $cachedHereBinary mAuthId . exceptT return return $ do
+      authId <- maybeExceptT AuthenticationRequired $ return mAuthId
+      isPrinter <- lift $ exists [UserSystemFunctionUser ==. authId, UserSystemFunctionFunction ==. SystemPrinter, UserSystemFunctionIsOptOut ==. False]
+      guardMExceptT isPrinter $ unauthorizedI MsgUnauthorizedSystemPrinter
+      return Authorized
 tagAccessPredicate AuthStudent = cacheAPSystemFunction SystemStudent (Just $ Right diffHour) $ \mAuthId' _ _ studentList -> if
   | maybe True (`Set.notMember` studentList) mAuthId' -> Right $ if
       | is _Nothing mAuthId' -> return AuthenticationRequired
diff --git a/src/Model/Types/User.hs b/src/Model/Types/User.hs
index 1d32d639a..b5594ea38 100644
--- a/src/Model/Types/User.hs
+++ b/src/Model/Types/User.hs
@@ -11,6 +11,7 @@ data SystemFunction
   = SystemExamOffice
   | SystemFaculty
   | SystemStudent
+  | SystemPrinter
   deriving (Eq, Ord, Read, Show, Enum, Bounded, Generic, Typeable)
   deriving anyclass (Universe, Finite, Hashable, NFData)