Provisioning limited DocuSign REST API Access

0
votes

A 3rd party website is offering our service to their members. When they sign up, members have to agree to our contract. Currently this is handled manually, with envelopes being sent through email. We want to streamline this process allowing members to enter their information into the web site, and then immediately be presented with a contract to review and sign.

The 3rd party web site will collect the member information, then use the REST API to create a draft envelope based on a Template and information the the member enters on the website. The application will then display the contract in the web page so that the user can review and sign it. The document workflow will ensure that signed copies are routed to appropriate parties within our company via email for completion.

We want the 3rd party web site to have access to an account to which we can share templates. We want the 3rd party application to have very limited capabilities trhough the API:

  • Submit requests using a User ID and Integrator Key that we provide. These credentials need be different from other User Ids and Integrator Keys under our account

  • Create a draft envelope based on the templates we provide

  • Post a Recipient View allowing the application to display the document for review and siganture (in an IFrame)

  • Receive the signing status via the return URL provided in the Recipient View post

  • Possibly request status for an envelope

  • The external application should not have access to other templates, documents, or unnecessry API calls.

We want to be able to cancel the application's access at any time.

Question: Permissions and API Limitations

Is the above scenario feasible with respect to establishing limited access to the DocuSign REST API? How would we set this up?

Do account user permissions limit API use, if the API is enabled for the user? I found these settings in the user permissions section of the documentation. I can make guesses as to how to set them, but I need guidance on the actual implications of some settings.

  • Submit DocuSign API Requests: true
  • Manage Account: false
  • Send Envelope: true
  • Manage Templates: Use
  • DocuSign Desktop Client: false
  • Transfer Envelopes to User: false
  • Allow sender to set email language for recipients: false

I assume "Account-Wide Rights" should be false, but under that option in the documentation, it lists RequestStatus as one of calls covered. Will an application embedding the signing process still have sufficient permissions to complete the tasks listed above if "Account-Wide Rights" is false?

Are there other settings or issues I need to consider?

1
docusignapi
BTW, my DocuSign Account Rep advised me to post this question here. - BJ Safdie

1 Answers

1
votes

Firstly, thanks for using DocuSign. The answer to your question is in a few different parts. To clarify, I am answering assuming:

1.) You are a current customer (or about to be one) of DocuSign. 2.) You have a plan that is set up to allow integration (IE you aren't trying to do all of this with a personal plan, or something like that).

There are a couple of terms I will use... Sender and Recipient. In this scenario, the THird Party Website is "the sender" and they are Sending the documents through YOUR DocuSign account, using the API. The people who are signing up for your service are going to be Envelope Recipients.

Just like with the post office, someone has to send, and someone gets the envelope.

So far so good.

So what will happen is that the third party website will write some code that knows how to talk to the DocuSign API, and you will need to know:

-DocuSIgn Account ID (this is your DocuSign account) -The Integrator Key (this is the key that you will need to certify before going live, which identifies all those API calls as coming from them) -Credentials to access your account (this can be either the actual creds, or a token, etc).

Now, there are two ways to do it. You can either have the third party website make the and send all of the envelopes as if they all came from a single "user" in DocuSign (likely) or if you know that a particular user should send out things, you can do that too.

I am going to assume that all of the sign up packets will be sent as if they came from something like [email protected].

So you will make sure you have a user in your DocuSIgn account with that Email address and name, and make sure that user has the ability to send via the API (there's a setting in DocuSign admin), and all envelopes will be sent as if that "person" sent them.

You will need the settings for that user (the one that will "send" all the envelopes), set as you showed above. You would need the Account Wide access if you wanted to send "on behalf of" a different user. But you aren't doing that, so you should be cool.

The last thing is that you will need to make sure you have an envelope based plan (as opposed to a seat based plan) because otherwise, that one mega-user will look suspicious (sending hundreds of envelopes in an automated fashion).

I hope this answers the question?

-Dan