1

I am creating envelopes and everything was working fine before I included the SendOnBehalfOf tag. I am receiving the error, "USER_LACKS_PERMISSIONS". I have checked my account permissions and the Send On Behalf Rights (API) is checked as well as the Account Wide Rights.

Here is the header created on the request:

POST https://demo.docusign.net/restapi/v2/accounts/49f49b40-fda4-4fbb-8db2-9326a7a1eb91/envelopes HTTP/1.1
Host: demo.docusign.net
X-DocuSign-Authentication: <DocuSignCredentials><SendOnBehalfOf>kelder@gennet.com</SendOnBehalfOf><Username>pserrate@gennet.com</Username><Password>*****</Password><IntegratorKey>FIRS-623bd271-aa91-40ca-9983-835c1586527b</IntegratorKey></DocuSignCredentials>
Content-Type: multipart/form-data; boundary=MY_BOUNDARY
Accept: application/json
Content-Length: 824511
Expect: 100-continue

Here is the response I get from DocuSign:

HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Content-Length: 126
Content-Type: application/json; charset=utf-8
Date: Tue, 03 Dec 2013 21:14:18 GMT
Strict-Transport-Security: max-age=7776000; includeSubDomains

{
  "errorCode": "USER_LACKS_PERMISSIONS",
  "message": "This user lacks sufficient permissions to access this resource."
}

Can you please let me know what I am missing or if this is a setting that needs to be updated/turned on on the DocuSign end?

user3002092
  • 495
  • 2
  • 11
  • 29

1 Answers1

0

Getting the "User Lacks Permissions" error when using "Send on behalf of" with the Create Envelope API request most likely indicates an issue with the send-on-behalf-of user account. A couple of things to check:

  • The SendOnBehalfOf email address (kelder@gennet.com in your case) must correspond (exactly, perhaps may even be case-sensitive) to another member of the same DocuSign account. i.e., if you login to the DocuSign web console with your (admin) credentials, and navigate to Preferences >> Users -- you should see an Active user that uses the SendOnBehalfOf email address.

  • The membership that corresponds to the SendOnBehalfOf email address must have permissions to Send Envelopes. Verify this by navigating (in the DocuSign web console) to Preferences >> User >> [click link to Open user] >> Permissions (button). For example, the following member would not be capable of sending an envelope, because he has Permission Profile = DocuSign Viewer and the Send Envelopes setting is not selected: User Permissions

Update --- also verify the following:

  • Both kelder@gennet.com and pserrate@gennet.com must be members of the same DocuSign account.

  • The account number of the account in which kelder@gennet.com and pserrate@gennet.com are members must be the same as you're specifying in the URL (i.e., in your example: 49f49b40-fda4-4fbb-8db2-9326a7a1eb91).

  • The member with email address pserrate@gennet.com must have these permissions enabled: Account-Wide Rights, Send On Behalf Of Rights (API), Sequential Signing (API). API permissions

If you've verified all of the above, and it still isn't working, then to troubleshoot further, I'd suggest that you try sending an envelope (via the EXACT SAME URL and with the EXACT SAME REQUEST BODY) twice -- once as pserrate@gennet.com and once as kelder@gennet.com -- but both times, without using the <SendOnBehalfOf> element in the X-DocuSign-Authentication header. Once you do that, post the results here as a Comment, and I'll provide further feedback.

Kim Brandl
  • 13,125
  • 2
  • 16
  • 21
  • Both of these accounts are currently administrators and both are able to send envelopes. I have sent envelopes with both accounts in the past. Do you have any other suggestions? – user3002092 Dec 03 '13 at 22:10
  • Updated my answer with some more feedback. – Kim Brandl Dec 04 '13 at 00:02
  • We are both members of the same DocuSign account, we are both members of that account and those three selections are check on both of our accounts. I tried your test with the same exact same information, just changing the X-DocuSign-Authentication header and I produced an envelope with the ID: "cbc7b72b-a5b0-4fd3-a71c-237b3236191e" with pserrate and the envelope with the ID: "9e6c4d8d-81d4-4b6c-88ef-50dde1a1a751" with kelder. Are there any other possibilities? – user3002092 Dec 04 '13 at 00:52
  • So, if your tests sending as each user directly/individually (i.e., without using SendOnBehalfOf) used the exact same URL and request body each time -- the fact that each user was able to successfully send their own envelope via the API should rule out any kind of permission setting regarding sending envelopes, etc. That certainly narrows it down to an issue specifically with using the element in the request header. I'm not aware of any other settings you need to enable...perhaps there's some setting(s) that DocuSign needs to enable for your account behind-the-scenes? – Kim Brandl Dec 04 '13 at 02:07
  • I should also mention that the format of your "X-DocuSign-Authentication" header content (including ) seems correct -- I'm able to cc/paste your header value into my own request (populated with my username/pwd/integrator key) and Send-on-behalf-of works fine for me. – Kim Brandl Dec 04 '13 at 02:09
  • That's strange. Do you know of any other possibilities that may solve this problem? – user3002092 Dec 04 '13 at 17:32