Check who a user has permission to send on behalf of?

Question

For a DocuSign integration, I'm working on allowing users to send on behalf of others. Using DocuSign's REST API, I am able to send on behalf of another DocuSign user by using the <SendOnBehalfOf> node inside the X-DocuSign-Authentication header of the request, as described here.

I've also found that to find any DocuSign users capable of sending on behalf of, I just need to check their apiAccountWideAccess and allowSendOnBehalfOf permissions.

This alone seems like a security concern for me. Is there a way for me to, first in DocuSign, restrict users for designated sending? For example, can I make it so John can send on behalf of Bob, but Jane cannot? If possible, can I then use the DocuSign REST API to check who a particular user can send on behalf of?

Or, does DocuSign allow any designated sender to send on behalf of any other user, so long as they have the aforementioned permissions? I can't find any documentation about this.

Answer 1

There is a Group called "DocuSign Viewer" that will restrict users from sending envelopes. You can assign the a new user to that group by using the group ID when making the call to create the user (or do it in the member console easily as well).

As far as sending on behalf of, the initiating sender will need Account Wide Rights (apiAccountWideAccess in the API). The only restriction for the user they are sending for is they must be able to send envelopes.