Workflow scanning
Workflow Scanning Overview
Description
Workflow scanning is a mechanism that provides users with simplified scanning mechanism (e.g. automated routing to their home folder or email) and allows administrators to integrate scanning processes with document management applications.
see Workflow Scanning - Administrative Tasks for configuration and deployment information.
see Scanning workflow definition for more information.
User Stories
WorkflowScanning - As a User I want to authenticate once at the MFP and use appropriate scanning workflow function at the MFP so that my documents are automatically delivered to desired destination(s) without requesting me to enter unnecessary information.
SecuredScanning - As an Administrator I want to configure devices to deliver scanned documents to SafeQ via WebDAV/S so that the document won't travel over the network unsecured.
Requirements
SafeQ shall support following repositories for collecting incoming scans.
For Embedded Terminals (EIP, OSA, OpenAPI) SafeQ automatically configures scan data collection via standard FTP. (FTP server is embedded in YSoft SafeQ)
Device scans to the shared folder, accessible also by SafeQ. SafeQ monitors this hot folder and executes the workflow on incomming data.
Please note that UNIQUE folder has to exist for every combination of MFP and WORKFLOWDevice stores data to WebDAV/S or HTTPS server available on SafeQ.
Following workflows shall be available for the users
Scan (automated) to email of authenticated user
Defined attributes can be passed to email subject or body (as a variables in email template defined by administrator – see available workflow attributes section)
Scans are delivered via SMTP. Basic authentication including secure password verification is available.
Sender address (FROM:) is replaced by the authenticated user's email (if available).
Additional options:If the job size exceeds defined size, Document is stored to defined folder or rejected with notification to the user's email.
Defined attributes (see Available Workflow Attributes) can be used as a variable in the folder name placeholder
Scan to email, entered or selected at the MFP panel
Sender address (FROM:) is replaced by the authenticated user's email (if available).
For Xerox Embedded, Konica Minolta Embedded and Sharp Embedded Terminal, user email is passed to the MFP after successful authentication of the user.Scan to home folder of authenticated user, default group folder or administrator- defined network folder
Service account (one that is used to run SafeQ server service) credentials are used to write the target directory. See Scan Management security overview for additional details.
Store to folder at the server and execute external script
Defined attributes can be passed to the script -- see available workflow attributes section)
Service account running SafeQ server service must have access to the target directory and rights to execute the script.
There are several scripts available with the software:Integration with RightFax / FerariFax / FaxChange / StreemFax server (see workflow overview ) and providing user information to enable FAX confirmation email.
Scan to pre-defined list of network folders
Following Workflow Attributes shall be available for workflow definition on all terminals
Attributes defined by system. every attribute %ATTR% will be replaced by respective value.
Available attributes are:
%devicename% - name of the scan device, as defined in SafeQ
%userhome% - home directory of user (typically imported value from AD);
%groupfolder% - groupdirectory of user (typically imported value from AD)
%login%, %name%, %surname%, %email% - attributes of a logged user
%costcentre% - name of the logged user's costscentre/department
List of file types that are processed by the workflow script. By default only Images (JPG, TIF, PDF) are delivered to defined destination.
Following Workflow Attributes shall be available for workflow definition on Embedded Terminals ONLY
Define default settings for scan:
DPI resolution (low,normal,fine,high,super)
sides (1,2)
color usage (monochrome, color, grayscale, bicolor, monocolor, automatic)
file type (pdf, compact pdf, tiff, jpeg, xps)
Define list of attributes that user should/must select/complete at the MFP with the scan document
editable string with optionally pre-defined default value
list of selectable items
System shall allow administrator to define target file name for the scanned document (document file will be renamed on the way thru SafeQ). Several variables are available to be used in the name placeholder.
Defined attributes (see Available Workflow Attributes)
Date (Date format is YYYY-MM-DD)
Whenever the target file already exists in the destination folder, the new file with numbered postfix (e.g _1, _2, _3) will be created.
Administrator shall configure the Embedded Terminal so that the device uses either FTP repository or WebDAV (WebDAV/S)
Administrator shall create a workflow scanning template that delivers the data to a defined repository (eg. Smb/webdav/ftp folder defined by path and system variables (plus variables from LDAP such as home directory or webDav home page) directly, rather that passing the data thru SafeQ server
System shall check the compatibility of the device with selected repository and restrain administrator to configure unsupported repository
Dependencies / Non Functional Requirements
YSoft SafeQ Server must be installed and available within LAN
Identity management must be established, including all required information for particular workflow, such as user's home directory (full path) or email address.
MFP must be equipped with terminal with graphical user interface and with correctly configured authentication (panel blocking)
The MFP must support the target repository type (EIP is required for Xerox devices, Scan API 2.2 is required for KM devices)
Caveats
SafeQ can only run limited number of scanning scripts (Store to folder at the server and execute external script workflow; default 5) in parallel. Additional workflow are being serialized and executed after successful termination of active scripts.
Licensing
Workflow scanning feature is a standalone licensed feature since YSoft SafeQwith following limitation if license for the feature expires or is not available in a license. Please see License content per version to review all SafeQ version and availability of a feature.
Workflow Scanning (scan to home) Diagram
This workflow is typically used for Workflow scanning or Scan Tracking.
Card / PIN based authentication and scan to network folder
PKI (SmartCard based) or Login/Password based authentication and scan to network folder
Scan to own email
User information is typically replicated from LDAP server using secured (server-authenticated) LDAP/S connection. This step is however purely optional. See Identity management for additional details.
User swipes/inserts the card and/or enters the PIN code. The information is transferred to SafeQ using TLS based secure protocol (with client only authentication - server verifies identity of terminal). Sever looks up the internal SQL database to find the user record connected with the entered PIN code or card ID.
if Smart Card authentication or login/password authentication is used SafeQ server uses Kerberos v5 protocol to get the Ticket Granting Ticket information (TGT) form Kerberos server.
Kerberos sends encrypted information back to the server
Server uses the secured connection to decipher the data
Server gets the deciphered data and looks up the internal database for respective user record
If the user is authorized to scan, the device panel is unlocked (either using serial smart blocking cable from terminal or internal mechanism in case of MFP panel integrated (embedded) terminal.
User scans the data. MFP transfers the data using configured protocol (differs per MFP capabilities).
The most common option is data transfer via unsecured SMB of FTP protocol. (Target IP address and folder is pre-configured at the MFP during initial MFP configuration).
Some devices allows data transfer using secured WebDAV protocol with server authentication.
SafeQ gathers the accounting data using several mechanisms (see Print tracking methods). If the online accounting method is used, SNMP protocol is used to gather the current page meter information from the printer.
In case of vender provided accounting, the accounting information is transferred to SafeQ from printer using SOAP or HTTPS POST message.
SafeQ server transfers the data using administrator-configured protocol.
In case of scanning to owner's email, data are transferred as email attachment. SafeQ server accesses the email server using configured account with secured password authentication. Data are transferred in plain form.
In case of scanning to the network folder, the scan is delivered to the home folder specified in user record (inside SafeQ SQL database). Authentication to the network folder is based on privileges of the system account that runs SafeQ to access the folder. The system account MUST have the write access to all network home folders.
(7.a) In case of PKI based or login/password authentication used with:
Terminal Professional, SafeQ users Kerberos Ticket Granting Ticket (TGT) service and impersonates the user to access the home folder. In such a case, no special privileges for the system account that runs SafeQ are needed. Configuration can be done by following description at Smart Card support
Terminal Embedded, SafeQ service must have full access to write to the home folders of the users. Kerberos Ticket Granting Ticket (TGT) cannot be used.
NOTE: When a user is a member of the Administrators group and this workflow is used, the job will be stored under the Administrators context, not the original user.