CODEWITHSUNDEEP
docusignapi
Gregory A. Miller
Gregory A. Miller

Reputation: 50

API Integration across multiple accounts within same organization

I have had my API Integration promoted to my Production environment for a few weeks now and all is well but I ran into a new issue that I need help understanding. The process is setting up impersonation. The hierarchy of the organization is relatively simple:

enter image description here

My Integration was built under Company A and so far 100% of Company A accounts are able to be impersonated as expected. The issue came up when Company B was added to the Organization and one of the existing accounts was included in the list to be impersonated. The following message is what I am getting back from my API call.

enter image description here

I have Organization Admin permissions as well as Admin permissions on all of the Company Accounts too and this message appears even for me. My feeling is this is a simple administrative function to grant the User in Company A the permissions to access either a User in Company B or all of Company B. I am just not seeing where this gets setup. I hope anyone can point me in the right direction on this one.

=== 07/06/2022 - Adding additional details ===

/oauth/userinfo respose...

    {
        "sub": "xxxxx-xx-xx-xx-xxxxx",
        "name": "Greg Miller",
        "given_name": "Greg",
        "family_name": "Miller",
        "created": "2017-11-10T18:26:23.583",
        "email": "[email protected]",
        "accounts": [
            {
                "account_id": "xxxxx-xx-xx-xx-xxxxx",
                "is_default": true,
                "account_name": "CompanyA",
                "base_uri": "https://###.docusign.net",
                "organization": {
                    "organization_id": "xxxxx-xx-xx-xx-xxxxx",
                    "links": [
                        {
                            "rel": "self",
                            "href": "https://account.docusign.com/organizations/xxxxx-xx-xx-xx-xxxxx"
                        }
                    ]
                }
            },
            {
                "account_id": "zzzzz-zz-zz-zz-zzzzz",
                "is_default": false,
                "account_name": "CompanyB",
                "base_uri": "https://###.docusign.net",
                "organization": {
                    "organization_id": "zzzzz-zz-zz-zz-zzzzz",
                    "links": [
                        {
                            "rel": "self",
                            "href": "https://account.docusign.com/organizations/zzzzz-zz-zz-zz-zzzzz"
                        }
                    ]
                }
            }
        ]
    }

Admin panel User Membership screen

Additional Info Added 07/07/22

Both Company A and Company B base_uri designation is the same "https://na2.docusign.net"

This is the /oauth/userinfo data returned using the JWT created for the Company B user account I am trying to impersonate.

{
    "sub": "xxxxx-xx-xx-xx-xxxxx",
    "name": "Company B",
    "given_name": "CompanyB",
    "family_name": "XYZ TEAM",
    "created": "2021-03-31T18:20:05.23",
    "email": "[email protected]",
    "accounts": [
        {
            "account_id": "xxxxx-xx-xx-xx-xxxxx",
            "is_default": true,
            "account_name": "Compan B",
            "base_uri": "https://na2.docusign.net",
            "organization": {
                "organization_id": "xxxxx-xx-xx-xx-xxxxx",
                "links": [
                    {
                        "rel": "self",
                        "href": "https://account.docusign.com/organizations/xxxxx-xx-xx-xx-xxxxx"
                    }
                ]
            }
        }
    ]
}

The steps I take are basically the same as you outline:

  1. Generate JWT Access Token
  2. I am manually storing the required userinfo data userID(sub) and base_uri in a local db table.
  3. I am using CURL to make my API calls " $base_uri.'/restapi/v2.1/accounts/'.$AccountID.'/views/console'"

Upvotes: 1

Views: 522

Answers (1)

Larry K
Larry K

Reputation: 49104

You have two choices for accessing data in Company B (Account B):

  1. Add the user in Company A (Account A) to also be a user in Account B. (Users can have memberships in more than one account.)
  2. To access the data in Account B (Company B), impersonate a (different) user who is in account B. This is done via the eSign Admin app or via the Org Admin app.

By design, a user who is not in Account B cannot access any data in Account B. (This is the error message you're receiving.)

Note: you do not need to make any changes to your app's integration key (client ID)--all client IDs in production can be used with any user, with any account the user has access to.

To see which accounts the current user has access to, use the /oauth/userinfo API method.

Added

When you get the message User does not have a valid membership in this account check:

  1. What account is the request using? (What is the URL of the request?)
  2. Was the request sent to the right base url for the account?
  3. What result does the current access token provide when calling the /oauth/userinfo API method.

Your test API calls should be:

  1. Get an access token
  2. Call /oauth/userinfo
  3. Call the eSign API (eg list envelopes or somesuch) for each of the accounts listed in /oauth/userinfo

Upvotes: 1

Related Questions