Skip to content

Automated OCR operations are attributed to the impersonated file owner (audit-trail / accountability concern) #385

Description

@fgrosswig

Summary

When workflow_ocr processes a file, the resulting version author and the
file activity are attributed to the file owner ("You"), not to an automated
system actor. As a result an automated OCR operation is indistinguishable
from a manual user edit in the audit trail.

Root cause (as I understand it)

lib/Service/OcrService.php calls userSession->setUser($owner) before
writing the OCR'd file back and creating the version (and setUser(null)
afterwards). The impersonation is technically necessary for filesystem access,
but it means the version metadata + activity inherit the owner as author.

Why this matters (compliance / ISMS)

In a compliance / ISMS context, accountability & non-repudiation require
that automated system actions are clearly distinguishable from manual user
actions. Attributing an automated OCR to a real user weakens the audit trail
("who actually did this?").

Current mitigations (helpful, but not sufficient)

  • The Before OCR version label signals an OCR result.
  • The configurable "assign tag after OCR" marks processed files.
    These document that OCR happened, but not that it was automated vs. manual.

Request

Please consider an option to attribute OCR operations (version author + activity)
to a configurable system/service actor (or Nextcloud's system actor),
instead of the impersonated file owner — at minimum as an opt-in setting.

Environment

  • workflow_ocr: 1.33.1
  • Nextcloud: 33.0.5
  • Mode: local backend (ocrmypdf), Flow trigger on file create + PDF
Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions