Last Updated on August 8, 2022 by Alis Lee
Introduction to DocuSign Login
This topic provides an introduction to DocuSign Admin, including the main capabilities and requirements, and how
it can benefit your enterprise.
Note: To create an organization and set up single sign on (SSO), you must have DocuSign Admin enabled on
your account. If you cannot follow the instructions provided in this guide, please contact your DocuSign
account manager for assistance.
What is DocuSign Admin?
DocuSign Admin is a management infrastructure that empowers you to control and manage how DocuSign is used
by your company. Through centralized administrative tools, you can govern the use of DocuSign in an efficient and
logical way, and control with confidence how the application is deployed at your company. DocuSign Admin
changes the way you administer DocuSign by bringing together the accounts, users, and components necessary
to support your workflows.
Note: See Establish Control of your Company’s DocuSign Agreements to learn how you can gain control of
your company’s agreements with proven best practices and procedural guidelines.
DocuSign Admin capabilities
• View all of your accounts from a centralized location
• Self-service set up and management of your organization for identity management
• Administer just-in-time provisioning configurations
• Centralized user management
• Manage your organization’s administrative team
Requirements to use DocuSign Admin
To use DocuSign Admin, your company must meet the following requirements:
• DocuSign Admin must be enabled on at least one account owned by your company. This requires the purchase
of the appropriate package, Enterprise Pro with the Organization Management Add-On. From that account, any
account administrator can create an organization.
• Any account that is managed or otherwise affected by DocuSign Admin and the customer’s use of the
Enterprise Pro package must have the applicable plan enabled.
If you need assistance in securing the appropriate package and plan for your accounts, please contact your
DocuSign account team.
7
Advantages of centralized management
Today, a company with multiple DocuSign accounts must manage accounts and users from within each account.
This siloed structure requires repeating configuration changes and user updates for all affected accounts, which
can lead to errors and inconsistent implementation across the company.
With DocuSign Admin, your company gains instant visibility and control over domains and identity management
(for SSO), accounts, and users from a centralized location. DocuSign Admin provides one place to manage your
company’s entire DocuSign implementation.
8
Getting Started
Note: This guide is for DocuSign administrators who oversee multiple accounts. For administrators of
individual accounts, see Welcome to Administration – DocuSign eSignature Admin.
To get started with DocuSign Admin, select the implementation plan that matches your company’s situation.
Plan 1: Existing DocuSign Customer
Scenario: Your company has one or more active DocuSign accounts and access to DocuSign Admin.
Implementation Plan: Your organization is already set up and ready for you to explore.
• Accessing your organization: How to access the DocuSign Admin dashboard.
• Establish Control of your Company’s DocuSign Agreements: Learn how you can gain control of your company’s
agreements with proven best practices and procedural guidelines.
• Review domain setup: Manage email domains claimed for your organization.
• Review identity provider setup: Add and manage identity providers; edit the default account and permission
profile used for just in time user provisioning.
• Review and manage the accounts in your organization: See the accounts that are part of your organization and
link additional accounts that you administer.
• Add other administrators: Invite additional DocuSign users to be administrators for your organization.
• Review users: Manage users across multiple accounts and domains. Add and edit users, assign permission
profiles and manage account access. Close users’ account memberships.
• Review applications: Manage the applications that can access your DocuSign organization. Applications are
authorized for all domain users and access is limited by the permissions you specify.
9
Plan 2: New DocuSign Customer
Scenario: Your company is new to DocuSign and will set up one or more active DocuSign Enterprise accounts
and configure SSO. For visibility and control over your accounts and users, you will use DocuSign Admin.
Implementation Plan: You need to establish at least one DocuSign account with DocuSign Admin enabled on the
account. Then you will create a DocuSign organization and set up SSO. From there, you will build out your
organization, linking accounts to manage and adding DocuSign administrators to help you manage the
organization and all of its users.
• Create an organization from the DocuSign account with DocuSign Admin enabled. If not enabled, contact your
DocuSign account manager.
• Access your organization: How to access the DocuSign Admin dashboard.
• Establish Control of your Company’s DocuSign Agreements: Learn how you can gain control of your company’s
agreements with proven best practices and procedural guidelines.
• Review the SSO overview: Set up Single Sign-On (SSO):
◦ Set up email domains: Establish your email domain claims.
◦ Configure an identity provider: Add your identity provider; edit the default account and permission profile
used for just in time user provisioning.
◦ Test your SSO configuration: Validate your SSO setup before enabling it for all domain users.
◦ Enable SSO: Make SSO mandatory for all domain users.
◦ Configure SSO exceptions: Set user login policy for individual users who need different access
requirements.
• Link additional accounts: Centralize management of your users by linking all corporate DocuSign accounts to
your new organization.
• Add other administrators: Invite additional DocuSign users to be administrators for your organization.
• Review users: Manage users across multiple accounts and domains. Add and edit users, assign permission
profiles and manage account access. Close users’ account memberships.
• Authorize applications: Manage the applications that can access your DocuSign organization. Applications are
authorized for all domain users and access is limited by the permissions you specify.
Creating an organization
To create an organization you must be an eSignature account administrator with the All Administration Capabilities
permissions. Also, the account you use to create the organization must be enabled with DocuSign Admin.
Note: If you do not see the DocuSign Admin section in DocuSign eSignature Admin as shown in the
procedure below, contact your DocuSign account manager for assistance.
When you create an organization, you are automatically the administrator and the eSignature account used to
create the organization is the default account. An organization’s default account is used for just-in-time
provisioning when new users are added.
After you create an organization, you can update the name and description at any time through the Overview tile.
10
CONTENTS
How to create an organization
Update the organization name or description
Related topics
To create an organization
1. Log in to eSignature Admin for a DocuSign account that is enabled for DocuSign Admin.
2. From the eSignature Admin home page, click GET STARTED.
Note: If you do not see the GET STARTED section in your DocuSign account, then DocuSign Admin is not
enabled on the account. Contact your DocuSign account manager for assistance.
3. Enter an Organization Name and an optional Description in the fields provided, then click NEXT.
11
4. Link accounts to your organization. The account you used to create the organization is automatically linked.
Select any additional accounts you and the other DocuSign administrators want to manage centrally through
your organization.
All the accounts for which you are an account administrator with All Administration Capabilities permissions are
listed. You can link additional accounts at any time. See Accounts.
5. Click CREATE to finish creating your organization.
Your organization is created. The next time you log in to eSignature Admin, use the Admin Switcher to access
the DocuSign Admin dashboard.
To update the organization name or description
As a DocuSign administrator with the DocuSign Admin permission profile, you can update the organization name
and description from the Overview tile.
1. From the DocuSign Admin dashboard, click the Overview tile.
2. On the Overview page, edit the Organization Name and Description fields as needed.
3. Click UPDATE.
Your organization profile details are updated.
12
Related topics
For more information on topics related to creating an organization, see the following:
• Establish Control of your Company’s DocuSign Agreements: Gain control of your company’s agreements with
proven best practices and procedural guidelines.
• Link accounts to an organization: Link accounts with DocuSign Admin.
• Default account for an organization: Manage the default account for just-in-time provisioning for new users.
• Access an organization: How to access your organization from the DocuSign eSignature Admin app and the
DocuSign Admin dashboard.
Accessing an Organization
Once your organization is created, only the DocuSign users who have been added as DocuSign administrators
and have activated their membership, can access and view the organization.
The main organization view is a dashboard that provides access to all other parts of the organization.
Note: See Establish Control of your Company’s DocuSign Agreements to learn how you can gain control of
your company’s agreements with proven best practices and procedural guidelines.
CONTENTS
How to access DocuSign Admin
The DocuSign Admin dashboard
Troubleshooting
Accessing the DocuSign Admin dashboard
1. Log in to DocuSign eSignature as a DocuSign administrator.
2. Click your profile image, then click Go to Admin.
3. Click SWITCH TO… in the upper-left of the screen.
13
4. Click DOCUSIGN ADMIN.
The organization dashboard appears.
The DocuSign Admin dashboard
The dashboard provides access to all aspects of your organization.
• To navigate to the different parts of your organization, click on the dashboard tiles or use the left-hand
navigation menu.
◦ For DocuSign administrators with the Administrator permission profile, the dashboard includes all available
tiles.
14
◦ For administrators with the Users Administrator permission profile, the dashboard includes only Users,
Accounts, and Bulk Actions.
◦ For administrators with the Settings Administrator permission profile, the dashboard includes only Accounts
and Bulk Actions.
15
Troubleshooting
Why can’t I access DocuSign Admin on all of my accounts within the organization?
This can happen if you are a member of accounts on more than one server environment (NA1, NA2, EU, AU, etc.).
If you can access DocuSign Admin on some, but not all of your associated accounts, or are unable to link an
account for which you are an eSignature Administrator, follow these steps:
1. From the DocuSign Admin dashboard, click Users.
2. Enter your email address into the search bar, then click SEARCH.
3. From the user details page, click EXTEND ORGANIZATION RIGHTS TO ALL MEMBERSHIPS.
All of your account memberships within the organization can now access DocuSign Admin.
Managing Organization Features
As a DocuSign Administrator, you can manage the solutions and features available for your organization. Solutions
are collections of related features aimed at solving specific business needs. For example, when a feature like user
list exports is coupled with other related features, it enhances user management as a whole.
The organization overview displays a brief description for each solution and provides documentation for each
feature. The organization features can also be viewed as a list, separate from their solutions. All changes made to
features are tracked in the organization audit log.
Note: If a feature is marked as Not Available, contact your account management team to learn more.
16
To enable or disable organization features
If a feature is available for you organization, you can enable or disable it here. Changes made here will affect all
DocuSign Administrators with the appropriate level of permissions. If you do not see the option to enable or
disable features or features say ‘Not Available,’ contact your account team for assistance.
Note: Some organization features are related. Enabling or disabling a dependent feature will affect the related
feature.
1. From the DocuSign Admin dashboard, click the Overview tile.
2. Locate the solution with a feature you’d like to enable and click MANAGE.
Note: Alternatively,click the list view button to view individual features as a list.
3. Click ENABLE.
17
4. Click ENABLE to enable the feature.
Note: If there is a dependent feature, you’ll be prompted to enable that feature at the same time.
The feature is enabled for the organization.
5. To disable a feature, click the actions icon .
6. Click Disable.
Note: If the option to disable does not appear, there is a dependent feature which must be disabled first.
Disable the dependent feature to continue.
7. Click DISABLE again to disable the feature.
The feature is disabled for the organization.
18
DocuSign Single Sign-On Overview
Note: This guide is for DocuSign administrators. Single Sign-On requires DocuSign Admin.
With Single Sign-On (SSO), you can provision new users and enforce secure access management across all your
corporate applications. SSO, also known as Federation, simplifies and secures user login, with just one password
for all your SSO-enabled applications. With DocuSign Admin, you can set up and manage SSO at a global level to
control all your DocuSign accounts.
SSO enables your company to manage access to DocuSign through an Identity Provider, such as Okta, Azure,
Active Directory Federation Services, and OneLogin. With SSO, DocuSign users must use the Company Log In
option. When they enter their domain email address, authentication is handled by an Identity Provider (IdP).
DocuSign Admin allows an administrator to manage users on their company’s email domains. For example,
suppose every user at a company has an email address at the domain @myorganization.com. By proving
ownership of myorganization.com, an administrator can manage the identity for DocuSign users on that email
domain. For example, a company can enable a security policy in a DocuSign organization to require all users with
their email address to authenticate with the corporate Identity Provider.
Overview: Setting Up SSO for Your Organization
SSO functionality is managed through DocuSign Admin. In order to set up SSO, your company must already have
created a DocuSign organization and you must be designated as an administrator with the DocuSign Administrator
permission profile. To create a DocuSign organization, you must have an account that is enabled for this feature. If
you cannot access the organization view from your DocuSign account, please contact your DocuSign account
team for assistance.
Best Practice: DocuSign recommends setting up and testing SSO in a demo organization first. Then, when
successful, repeat the steps in your production organization account.
The basic steps to setting up SSO for your DocuSign organization
19
1. Prove ownership of a domain.
DocuSign administrators follow the process to claim and validate ownership of a reserved domain. See Claim a
Domain.
2. Set up and configure an Identity Provider in DocuSign.
The DocuSign administrator provides SAML configuration to allow DocuSign to establish interoperability with
the IdP. See Set up an Identity Provider.
3. Test the SSO configuration.
Test the SSO configuration with a small group of users to ensure SAML is configured correctly. See Test SSO
Configuration.
4. Make SSO mandatory for all users and configure exceptions.
Make SSO mandatory to require all users on reserved domains to authenticate with the Identity Providers. Any
pre-existing user names and passwords in DocuSign are no longer valid. See Change Domain Level Settings
procedure.
For domain users or integration users who need to be able to log in without requiring IdP authentication,
configure login policy exceptions on a per user basis. See Setting User Login Policy.
Related Topics:
• Establish Control of your Company’s DocuSign Agreements: Gain control of your company’s agreements with
proven best practices and procedural guidelines.
• Domains
• Identity Providers
• Setting User Login Policy
Domains
Note: This guide is for DocuSign administrators. Single Sign-On requires DocuSign Admin.
This section covers Step 1 of the process to set up and enable SSO for your DocuSign organization and provides
some supporting reference information about reserving domains. This step requires that you have already created
your organization as described in creating an organization. An organization can claim the same domain in both the
demo and production environments.
Note: Claiming a domain is also part of the authorization process for connected applications. For more
information, see Connected Apps.
20
Best Practice: DocuSign recommends setting up and testing SSO in a demo organization first. Then, when
successful, repeat the steps in your production organization account.
As a DocuSign administrator, you can claim domains for use with DocuSign through the Domains page of your
organization. When you claim and verify an email domain for your organization, you can manage all users for that
domain, across all accounts linked to the organization.
You can restrict users from creating personal DocuSign accounts using an email address from a claimed domain.
You can also grant administrative consent for connected applications on behalf of domain users.
Important: A domain can only be claimed by one DocuSign organization. If one organization has claimed and
verified a domain, then another organization cannot claim it. An organization can claim the same domain in
both the demo and production environments.
To start, you’ll initiate a claim for your organization from the Domains page in DocuSign Admin. DocuSign then
generates a special token that you add to the DNS (Domain Name System) for the domain. Once DocuSign verifies
this token in the DNS, the domain is registered to the organization.
Note: You can choose to add a TXT record or a CNAME record to your domain’s DNS. To ensure continuity of
coverage, it is recommended to add both record types when claiming a domain.
CONTENTS
Prove ownership of a domain (SSO Step 1)
Additional reference information on claiming domains
To prove ownership of a domain
1. In DocuSign Admin, click Domains.
21
2. Click CLAIM DOMAIN.
3. Enter the Domain Name.
4. Click CLAIM.
If the domain is available, a TXT token is generated and shown in the dialog box.
5. Copy the generated TXT token so that it can be added to your domain’s DNS entry.
6. Click CLOSE.
22
7. Outside of DocuSign Admin, update your domain’s DNS entry to include the following:
To create a TXT record
a. Navigate to your domain’s DNS record management page.
b. Add a new TXT record.
c. Name: @ or *
d. Text: TXT token from step 5 – Example: docusign=2cacbbaa-e1b9-4b82-a86e-68d539d865da
e. TTL: Default or 1 hour / 3600 seconds
To create a CNAME record
a. Navigate to your domain’s DNS record management page.
b. Add a new CNAME record.
c. Name: 32-digit GUID only from the token in Step 5 – Example: 2cacbbaa-e1b9-4b82-a86e-68d539d865da
d. Domain Name: verifydomain.docusign.net
Note: The process of updating DNS entries varies by vendor. You might need to coordinate with your
network administrator in order to make this change. Also, it may take up to 72 hours for DNS changes to
propagate. Coordinating ahead of time will ensure timely deployment of Single Sign-On.
As a sanity check, you can confirm that your changes are active with the steps outlined in Additional
reference information for claiming domains.
8. Once the DNS changes are active, return to DocuSign Admin and click DOMAINS.
23
9. Find the domain in the list, click ACTIONS on the same line as the domain name and select Validate.
DocuSign checks to see if the generated tokens are part of the DNS record. If successful, the domain status
changes to “Active.”
Your domain ownership is proven. You can now continue the SSO setup process or authorize connected apps
for domain users.
Note: DocuSign periodically reviews pending or active domain claims. It is possible that after updating your
DNS, your domain claim can become active in DocuSign even if you have not clicked validate. If you’ve
previously claimed a domain and removed the claim information from your DNS, these reviews would
invalidate that claim.
To get a TXT token for a claimed domain
1. In DocuSign Admin, click Domains.
2. In the list of domains, locate the domain for which you want to get the token.
3. Click ACTIONS on the same line as the domain name and select Get Token.
4. Copy the generated TXT token as needed.
5. Click CLOSE.
To withdraw a domain claim
You can relinquish control of a domain by withdrawing your domain claim. Releasing a domain removes any
security policies and may prevent users from logging on to the DocuSign eSignature application. This operation
should only be reserved for cases where you are certain there are no active users with an email address in the
domain.
24
Important: There is no way to undo this change. Use caution when withdrawing an active domain claim.
1. In DocuSign Admin, click Domains.
2. In the list of domains, find the domain you want to relinquish.
3. Click ACTIONS on the same line as the domain name and select Withdraw Claim.
4. Click CONFIRM to withdraw your claim.
Additional reference information for claiming domains
Domain DNS entry
• TXT or CNAME token must remain in the domain’s DNS entry. For as long as you want to reserve the
domain for your DocuSign organization, the token must remain in place. DocuSign periodically checks the DNS
to ensure claims are valid, and removal of a token would prevent your users from accessing DocuSign.
• The process of updating DNS entries varies by vendor. You might need to coordinate with your network
administrator in order to make this change. Also, it may take up to 72 hours for DNS changes to propagate
over the internet. Therefore coordinating ahead of time will ensure timely deployment of Single Sign-On.
• Optional – perform a sanity check to confirm the DNS change is active using one of the following
methods.
◦ For Windows users, open the command prompt and enter these commands:
nslookup –q=txt [myorganization.com]
nslookup –q=CNAME [Guid].[myorganization.com]
Where [myorganization.com] is the domain you are checking.
◦ For Mac users, open the terminal and enter these commands:
dig txt myorganization.com]
dig CNAME [Guid].[myorganization.com]
Where [myorganization.com] is the domain you are checking.
Identity Providers
Note: This guide is for DocuSign administrators. Single Sign-On requires DocuSign Admin.
This section covers Step 2 of the process to set up and enable SSO for your DocuSign Organization and provides
some supporting reference information on SAML specifications.
25
SSO enables your company to manage access to DocuSign through an Identity Provider, such as Okta, Azure,
Active Directory Federation Services (ADFS), and OneLogin. With SSO, DocuSign users must use the Company
Log In option. When they enter their domain email address, authentication is handled by an Identity Provider (IdP).
Once an email domain has been verified for your organization, the DocuSign administrator provides the
SAML configuration to allow DocuSign to establish interoperability with the IdP. The domain status must be
“Active” before you set up the SAML configuration for the IdP.
Once you have successfully configured your Identity Provider to work with your organization’s DocuSign account,
you can make SSO mandatory for all domain users to require any user on your email domain to authenticate with
your Identity Provider, and configure any required exceptions on a per user basis.
Note: DocuSign federation supports SAML 2.0 and all assertions must be sent with HTTP POST.
CONTENTS
Set up an Identity Provider (SSO Step 2)
SAML specifications for Single Sign-On
Related Topics
Set Up an Identity Provider
An organization must claim ownership of their email domain before setting up an Identity Provider. This is to
ensure that only domain owners have the ability to change the authentication method for its users. Setting up a
SAML configuration without claiming a domain will not result in any changes. See Domains for more information on
claiming a domain.
1. From the DocuSign Admin dashboard, click Identity Providers.
26
2. On the Identity Providers page, click ADD IDENTITY PROVIDER.
27
3. In the Identity Provider Settings form, complete the following required fields:
• Name. The name must be unique within the DocuSign system. The name is a label for this particular Identity
Provider setting and has no impact on the other settings.
• Identity Provider Issuer. This must match the issuer field in any SAML assertions.
• Identity Provider Login URL. This is the endpoint that handles the SAML Authentication Request.
Note: To view the endpoints of an existing Identity Provider, from the Identity Providers page, click Actions
and select Endpoints.
28
4. Specify AuthN and logout request settings as follows:
• Sign AuthN request: Select this option to require that DocuSign sign the AuthN request in SAML.
• Sign logout request: Select this option to require that DocuSign send a logout request.
• Select how the AuthN and logout requests are sent. Requests can be sent using a redirect (GET) or with
HTTP POST.
5. (Optional) Add custom attribute mappings.
DocuSign requires an assertion to contain the NameID, email, first name, and last name of a user and can
accept other optional fields (for more details, see the SAML Specifications). You can configure your Identity
Provider to match the standard configuration in DocuSign or you can use the Custom Attribute Mapping to
configure DocuSign to map those fields to other assertion attributes in your SAML response.
a) Click ADD NEW MAPPING to add a field.
b) Select the appropriate DocuSign Field and then type the Attribute Name that should be mapped to the field.
c) Click ADD NEW MAPPING to add another field, and then select the appropriate DocuSign Field and then
type the Attribute Name that should be mapped to the field.
29
6. Add at least one valid certificate used by the Identity Provider to sign SAML assertions.
7. Click SAVE to save the Identity Provider information.
Your IdP is set up and you can continue to Step 3 of the SSO setup process and test your SSO configuration.
Third-Party Login
Normally, SSO relies on claimed domain email addresses for authentication. With Third-Party Login, organizations
can allow approved users with unclaimed domain email addresses such as @gmail.com or @hotmail.com to log in
using SSO.
To be eligible to log in with Third-Party Login, the user must be a member of an account within your organization
and will need to be added to your identity provider (IdP).
Once they’ve been added, these users can login to DocuSign using your organization’s IdP.
Note: If a user tries to log in to your IdP with an email address containing a domain claimed by another
company, they will be logged in via the other company’s IdP.
To Configure Third-Party Login
Before setting up Third-Party Login, confirm that the users are members of an account within your organization.
1. From the DocuSign Admin dashboard, click the Identity Providers tile.
2. Locate the identity provider you’d like to enable Third-Party Login for, then click ACTIONS.
3. Click Edit.
30
4. Click to check Enable Third-Party Login.
5. Click SAVE.
6. Outside of DocuSign, log in to your IdP and add the any users you want to use third-party login.
Note: As the procedure for adding users varies based on the IdP, it is recommended to review any
available documentation provided by your IdP.
Your IdP is set up for Third-Party Login and you can continue to Step 3 of the SSO setup process to test your
SSO configuration.
SAML Specifications
DocuSign requires the following SAML configuration in order for federation to work.
31
The list below shows the attributes that are required in your SAML assertions and provides an example for each. If
the attribute names are different than what has been specified, you can configure DocuSign to capture this data
from other attributes in the assertion by mapping the attribute name. See To Set up an Identity Provider for more
information on Custom Attribute Mapping.
NameId (Required): DocuSign requires a unique identifier for a user. This unique identifier must be immutable
and cannot change for a user. In addition to that, this unique identifier cannot be recycled. An email address is not
recommended for use as an identifier, since a user can change emails or the email may be reissued. Instead,
DocuSign recommends that customers either use the employee ID or some other unique identifier.
This identifier is recorded in DocuSign as the Federated ID in the user’s Security details. If the NameID changes
on your IdP, you must clear the recorded federated ID in order for the user to log in. The new identifier will be
recorded the next time the user logs in through SSO.
<saml:Subject>
<saml:NameID>1234567890</saml:NameID>
<saml:SubjectConfirmation Method=”urn:oasis:names:tc:SAML:2.0:cm:bearer”>
<saml:SubjectConfirmationDataRecipient=”https://
account.DSW004886.docusignhq.com/saml2/login”/>
</saml:SubjectConfirmation>
</saml:Subject>
emailaddress (Required): The user’s email address.
<saml:Attribute Name=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/
emailaddress” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue>[email protected]</saml:AttributeValue>
</saml:Attribute>
givenname (Required): The user’s first name.
<saml:Attribute Name=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/
givenname” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue>John</saml:AttributeValue>
</saml:Attribute>
surname (Required): The user’s last name.
<saml:Attribute Name=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/
surname” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue>Jones</saml:AttributeValue>
</saml:Attribute>
accountid (Optional): The DocuSign ID for the account associated with the user. If specified, this accountId will
be used during just-in-time provisioning. This is the account that the user will be provisioned into when the user is
created on first login. The accountId must be in the account GUID format. This must be specified in conjunction
with the PermissionProfileId below, otherwise login will fail.
<saml:Attribute Name=”http://schemas.account.docusign.com/ws/2015/09/
identity/claims/accountid” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrnameformat:basic”>
32
<saml:AttributeValue>bb151f08-c631-46c7-b2c2-44a5dca243dd</
saml:AttributeValue>
</saml:Attribute>
permissionprofileid (Optional): The DocuSign ID of the Permission Profile associated with the user. Permission
Profiles are sets of account permission settings that can be applied to individual users. Using this option allows
new users to be assigned to a permission profile when they are added to the account. The ID information can be
retrieved using the REST API.
If specified, this is the permission profile that will be assigned to the user in the above account when the user is
created on first login. This must be specified in conjunction with the accountid above, otherwise login will fail.
<saml:Attribute Name=”http://schemas.account.docusign.com/ws/2015/09/
identity/claims/permissionprofileid”
NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue>1</saml:AttributeValue>
</saml:Attribute>
Related Topics:
• DocuSign Single Sign-On Overview
• Domains
• Test SSO Configuration
• Setting User Login Policy
Test SSO Configuration
Note: This guide is for DocuSign administrators. Single Sign-On requires DocuSign Admin.
This section covers Step 3 of the process to set up and enable SSO for your DocuSign organization.
Once you have successfully claimed a domain and configured an Identity Provider, you can test Single Sign-On
with your users. DocuSign recommends having a group of users test the configuration in Demo and, after that is
successful, switch to Production.
33
Instruct your users to do the following:
1. Go to the DocuSign log on page. The log on page used depends on the environment being tested.
Demo: https://account-d.docusign.com
Production: https://account.docusign.com
2. The user enters their email and clicks Continue.
3. Click Company Login.
DocuSign checks the email to determine the appropriate domain. The user is then redirected to the Identity
Provider, via SAML, to complete the logon process.
After successfully authenticating, the user is taken to the appropriate account in the DocuSign web application.
For new users (users that have not been added to your DocuSign account), DocuSign will provision them as a
new user under your organization’s default account; all of this happens automatically without any need for
administrator action.
Note: DocuSign’s just in time provisioning can be configured to create new users in a specific DocuSign
account with a specific permission profile.
If the tests were successful for all claimed domains, then you can be sure that all users on your domains will be
able to successfully log in with your Identity Provider configurations. You can proceed to Step 4 of the SSO setup
process, and change your domain settings to make SSO mandatory for all users and then configure any
exceptions.
Change Domain Settings
Note: This guide is for DocuSign administrators. Single Sign-On requires DocuSign Admin.
This section covers Step 4 of the process to set up and enable SSO for your DocuSign organization.
To enable SSO and enforce federated login for all users
1. In DocuSign Admin, click Domains.
34
2. In the list of domains, find the domain you want to edit.
3. Click the domain name or click ACTIONS on the same line as the domain name and select Edit.
4. Select the option Require all users to authenticate with Identity Provider.
All users are required to use the Company Login button to log on to the DocuSign web application with your
organization’s Identity Provider. Only enable this setting once you have added and tested an Identity Provider
configuration, otherwise users may not be able to log on to DocuSign.
SSO is enabled and mandatory for all domain users. You should now set user login policy to configure any
exceptions for users who need to be able to log in without requiring IdP authentication.
To apply additional domain security settings
Once SSO has been enabled for your domain, there are additional security options that you can apply to a
reserved domain for your domain users.
1. In DocuSign Admin, click Domains.
2. In the list of domains, find the domain you want to edit.
3. Click the domain name or click ACTIONS on the same line as the domain name and select Edit.
35
4. Select the security options to enable for your domain.
• Always require login when opening envelopes: When a user with the email domain receives a document,
they must first log in before they can open the document.
• Prevent unmanaged signups: Domain users cannot create individual accounts using their corporate email
address. These users can only be added to accounts linked to your organization. They must either be
created by your administrator or the Identity Provider.
• Disable Device Verification for password logins: By default, DocuSign requires users logging in from an
unrecognized device to reverify their email before continuing. Though it is recommended to keep this
enabled, some domains may need to disable it if users are unable to verify their email address each time
they log in. When checked, device verification will be disabled for all users on this domain.
5. Click SAVE to save the changes.
To set auto-activation of new memberships as the default
When adding memberships to new or existing domain users, you can choose to activate memberships
automatically by default. Memberships activated in this way will not receive an activation email. The administrator
can choose to override this option when adding a new user.
Memberships for existing domain users with a ‘Pending’ status can be activated manually from the user details
page. For more information, see User Management.
Note: This option is only available if the domain setting Require all users to authenticate with Identity
Provider is selected.
1. In DocuSign Admin, click Domains.
2. In the list of domains, find the domain you want to edit.
3. Click the domain name or click ACTIONS on the same line as the domain name and select Edit.
4. Select the option Auto-activate memberships by default for Organization accounts.
5. Click SAVE to save the changes.
New account memberships to Organization accounts will default to automatic activation.
Setting User Login Policy
Note: This guide is for DocuSign administrators. Single Sign-On requires DocuSign Admin.
When SSO is enabled for an Organization, all account users follow the policy settings specified for the domain.
For example, an organization’s email domain is myorganization.com. If the DocuSign administrator requires all
users to authenticate with an Identity Provider, then all users with an @myorganization.com email address are
required to authenticate with their corporate credentials.
36
Note: See Establish Control of your Company’s DocuSign Agreements to learn how you can gain control of
your company’s agreements with proven best practices and procedural guidelines.
There might be cases where using the default policy might not be appropriate for all users. Some examples of this
are:
• The DocuSign administrator might want to retain the ability to maintain a username and password in DocuSign.
This is helpful for cases where the administrator needs to access DocuSign to make updates to the
organization’s SSO configuration without going through the Identity Provider.
• An application or integration user cannot log in through an Identity Provider because that particular application
does not currently support SSO.
For these cases, DocuSign administrators have the option of setting login policies on a per user basis.
Important: This login policy setting deliberately overrides any policies that are enforced on the email domain,
and administrators should primarily use this as an exception rather than a standard rule for all users.
To change the login policy for users
1. In DocuSign Admin , click Users.
2. Click to select the Domain Users quick list.
Note: A login policy only applies to domain users who can use SSO to log in.
3. Find the user that will bypass federation. Click the user to access their details.
4. Select the Security tab for the user. The available settings are:
• Default: This setting uses the policies set for the user’s email domain.
• Identity Provider only: This setting requires a user to log on with an Identity Provider when SSO is optional
for users in the domain.
• Identity Provider or Username/Password: This setting allows a user to maintain a username and
password within DocuSign, even when SSO is required for all users in the domain.
5. Click SAVE to save the change.
6. Reset the password for this user or instruct the user to request a password reset by clicking the link in the log
in page.
Organization Administrators
An organization can have multiple DocuSign administrators. DocuSign administrators can have full rights to
manage an organization, or be limited to managing organization users or account settings only.
37
DocuSign administrators with full administrative rights can manage Single Sign-On (SSO) details, including
domains and identity providers. They can also manage all reserved domain users and all users belonging to the
accounts linked to the organization, without requiring direct administrative rights on the accounts themselves.
Note: See Establish Control of your Company’s DocuSign Agreements to learn how you can gain control of
your company’s agreements with proven best practices and procedural guidelines.
CONTENTS
DocuSign administrators
Add additional DocuSign administrators
Activate a DocuSign administrator membership
Resend, cancel, or edit a DocuSign administrator invitation
Remove a DocuSign administrator
DocuSign administrators
Every organization has at least one DocuSign administrator. By default, this is the eSignature administrator who
created the Organization. If DocuSign professional services helped set up your organization, the DocuSign
administrator may have been selected at that time instead. As a best practice, DocuSign recommends you have at
least two DocuSign administrators to help ensure continuity and coverage in managing your organization.
DocuSign Admin permission profiles
To provide better control over administrative access to your organization, there are different permission profiles
you can assign to administrators:
• Administrator: This permission profile grants full access to manage the organization. The administrator with
this permission profile can control, manage, and edit all features and users available in the organization.
• Users: This delegated administrator permission profile limits the administrator’s access to just managing
organization users. The administrator with this permission profile can add, edit, and close any nonadministrator user within the organization. When managing user memberships, this administrator is limited to
applying and making changes to non-administrator permission profiles only. This administrator cannot assign
an administrator permission profile to a user, nor can they change an administrator permission profile assigned
to a user. This delegated user administrator cannot add, edit, or close other DocuSign administrators.
• Settings: This delegated administrator permission profile limits the administrator’s access to viewing and
managing organization accounts and account settings. The administrator with this permission profile can view,
compare, export, and import account settings. They can also link and unlink accounts from the organization.
They cannot perform any user management tasks and do not have access to any other organizational
capabilities.
Note: Access to these permission profiles is determined by your account plan. If you do not see all of the
permission profiles described in this section it is because of the account plan options. Contact your account
manager or Customer Support for more information.
38
DocuSign Administrator Permission Profiles
The initial DocuSign administrator can create additional administrators for the organization, specifying which
permission profile is granted to each new administrator. Each DocuSign administrator with the Administrator
permission profile who accepts and activates their DocuSign administrator membership gains equal control over
all SSO details and all users across all accounts linked to the organization. In order for them to also have
administrative access to an account linked to the organization, they must have the All Administration Capabilities
permissions for the account.
You must be both a DocuSign administrator with the Administrator permission profile and an account administrator
to link an account to an organization. Therefore, assuming you want to link all of your corporate accounts to your
organization, for each account, you will need to make at least one account administrator (with the All
Administration Capabilities permissions) a DocuSign administrator. If you are an administrator on each account,
then you could link all accounts yourself and continue to manage the organization as the sole DocuSign
administrator.
Users can be a DocuSign administrator for multiple organizations.
To add a DocuSign administrator
Any DocuSign administrator with the Administrator permission profile can add additional DocuSign administrators
by inviting other DocuSign users. To become a DocuSign administrator, a DocuSign account is required, but the
account does not need to be associated with the organization.
1. From the DocuSign Admin dashboard, click Administrators.
2. In the DocuSign administrators list, click ADD ADMIN.
39
3. Fill in the user’s name and email address to send an invitation to the user. Be sure to enter the user’s email
associated with their DocuSign account.
4. Select the Permission Profile to grant to the new administrator. Select Administrator for full control over the
organization, Users Administrator to create a delegated user manager, or Settings Administrator to create a
delegated accounts manager.
5. Click ADD ADMINISTRATOR.
The user is added to the list of DocuSign administrators with the status “Pending”. The user receives an email
invitation and must activate their membership as described in To activate a DocuSign administrator
membership.
To activate a DocuSign administrator membership
If you are invited to join an organization as a DocuSign administrator, you receive an email invitation to activate
your administrator membership.
40
1. Open the DocuSign administrator membership activation email you received, and click ACTIVATE.
2. Enter your DocuSign account credentials to log in to your account.
41
3. The activation page opens where you can review your invitation details.
42
4. Click ACTIVATE to finalize your administrator membership.
Your membership is activated and you arrive at the DocuSign Admin dashboard.
If you are assigned the Users Administrator permission profile, your DocuSign Admin dashboard is limited to
the Users, Accounts, and bulk actions tiles.
43
If you are assigned the Settings Administrator permission Profile, your DocuSign Admin dashboard is limited to
the Accounts and Bulk Actions tiles.
To resend, cancel, or edit a DocuSign administrator invitation
Any DocuSign administrator with the Administrator permission profile can resend or cancel invitations that are
pending.
1. From the DocuSign Admin dashboard, click Administrators.
44
2. Locate the pending invitation. You can use the Filters to show only Pending status, or search by name or email.
3. Click the Actions menu and select to resend, cancel, or edit the invitation.
• Edit: Modify the pending administrator’s name or permission profile. To change the email address, delete
the original invitation and re-add the user as an administrator using the new email address.
• Resend invitation: Sends a new email invitation to the pending user.
• Delete invitation: Cancels the invitation. If the user tries to activate their membership, they get a message
saying the invitation is no longer valid.
To remove a DocuSign administrator
Any DocuSign administrator with the organization permission profile can remove any other active DocuSign
administrator. When you remove a DocuSign administrator, the user loses all access to the organization.
1. From the DocuSign Admin dashboard, click Administrators.
45
2. Locate the administrator you want to remove from the organization. You can use the Filters to show only Active
status, or search by name or email.
3. Click the Actions menu and select Remove.
4. Click CONFIRM to remove the administrator.
Bulk Actions
Note: This guide is for DocuSign administrators who oversee multiple accounts. For administrators of
individual accounts, see the DocuSign eSignature Admin guide Add and Update Users in Bulk.
As a DocuSign administrator, you can view and manage details for multiple users or accounts at a time. Bulk
actions enable DocuSign administrators to manage details for all users and all accounts within an organization.
Select a topic below for more information:
• User list exports
• Bulk add users
• Bulk update users
• Bulk close users
• Account settings export
• Account settings import
• Envelope reporting
User List Exports
Note: This guide is for DocuSign administrators who oversee multiple accounts. For administrators of
individual accounts, see the DocuSign eSignature Admin guide Add and Update Users in Bulk.
DocuSign Administrators and Users Administrators can export a list of users across all accounts in the
organization as a comma-separated value (CSV) file. Exports include user details such as full name, email
address, and permission profile.
46
Export types:
• Users and Memberships: All users and their memberships across all accounts in the organization.
• Domain Users: All domain users, their profile details, default account, and login policy.
• External Domain Users: All domain users memberships in accounts external to the organization.
Note: Organizations without a claimed domain will see only the Users and Memberships export option.
To export a list of users
1. From the DocuSign Admin dashboard, click the Bulk Actions tile.
2. Click the USERS tile.
47
3. Select the export type from the drop-down menu.
Export types:
• Users and Memberships: All users and their memberships across all accounts in the organization.
• Domain Users: All domain users, their profile details, default account, and login policy.
• External Domain Users: All domain users memberships in accounts external to the organization.
Note: Organizations without a claimed domain will see only the Users and Memberships export option.
4. Click EXPORT.
Note: Only one type of export or import can be in progress at a time.
48
5. From the ACTIVITY tab, you can view the status of the export. Click the refresh icon to update the export
status. When the export is complete, click VIEW.
6. Click DOWNLOAD to download the export CSV. When finished, click CLOSE.
Note: Your organization can store a combination of up to 100 user exports and account settings exports at
a time; both are retained for 90 days. To manually delete exports, click DELETE EXPORT, then click
DELETE.
49
Bulk Add New Users
Note: This guide is for DocuSign administrators who oversee multiple accounts. For administrators of
individual accounts, see the DocuSign eSignature Admin guide Add and Update Users in Bulk.
DocuSign Administrators and Users Administrators can bulk add new users to one or more accounts by uploading
a comma-separated value (CSV) file. The format of the CSV must match the sample file. For more information on
the CSV format, see Building a CSV.
You can add up to 2,000 users to an account and include up to 50 accounts per imported CSV. The maximum
number of users per import is 8,000.
To add multiple users with bulk actions
1. From the DocuSign Admin dashboard, click the Bulk Actions tile.
2. Click the USERS tile.
3. In the Users dialogue, click to select the IMPORT tab.
50
4. Select Add new users, then click SELECT FILE TO IMPORT.
Select the CSV file to import. Make sure the formatting matches the sample CSV provided. For more details,
see Building a CSV.
5. Click IMPORT. The system asks you to confirm the import.
51
6. From the ACTIVITY tab, you can view the status of the import. Click the refresh icon to update the import
status. When the import is complete, click VIEW.
Building a CSV to bulk add users
Your CSV import file is made up of a header row with the column headers and a row of user or account data for
each user you want to add to an account. Only new users can be imported. Any changes to existing users will be
ignored. To make changes to existing users, see bulk updating users.
To ensure your CSV is properly formatted, use the Sample Bulk Add CSV file as a template.
The header row for add users
The first line of the file is the header row which defines each of the columns. The header values are not required to
be in the order listed and are not case-sensitive, but the text must match listed values.
*Required columns: Your CSV file must contain these columns: AccountID, FirstName, LastName, UserEmail, and
eSignPermissionProfile. The rest of the header values are optional.
Note: For the user’s name, you can use either the FirstName and LastName columns together, or the User
Name column. Your spreadsheet should only contain one of these; if both FirstName/LastName and
UserName columns are present in your CSV, the values entered in the UserName column take precedence.
The EnableCLM and CLMPermissionProfile columns are only applicable for organizations with the CLM product.
Note: The LoginPolicy and AutoActivation columns only apply to organizations with a reserved domain and
Single Sign-On (SSO) through an Identity Provider. For more information, see the DocuSign Single Sign-On
Overview.
The acceptable column header values for an Add Users CSV file are:
Header Row Value Description
AccountID The 32 character API Account ID of the user’s account
in your organization. This can be found in the in the API
and Keys section of the account. Required column.
AccountName The name of the user’s account in your organization.
The account name must match the Account ID
provided.
52
Header Row Value Description
FirstName The user’s first name. Required column.
LastName The user’s last name. Required column.
UserName The user’s full name. This can be used instead of
FirstName and LastName. This is useful for languages
which place family names before given names.
***Required column. If this column is used instead of
FirstName and LastName, it is required.
UserEmail The user’s complete email address. Required column.
eSignPermissionProfile The user’s permission profile for the eSignature
product. This value must match an existing permission
profile for the account. This value is not casesensitive.Required column.
EnableCLM Grants the user access to the CLM product. If you
grant a user access to CLM, you must also assign them
a Permission profile for that product with the
CLMPermissionProfile column.
• TRUE – The user has access to CLM.
• FALSE – The user does not have access to CLM.
CLMPermissionProfile The user’s permission profile for the CLM product. This
value must match an existing permission profile for the
account. This value is not case-sensitive.
If you assign a user a CLM permission Profile, you must
also grant them access to the CLM product with the
EnableCLM column.
UserTitle The user’s job title.
CompanyName The user’s company name.
Group The user’s assigned groups. The Group values must
match existing Group names for the account. Additional
Group columns can be added to the file to add users to
more than one group.
You do not need to add users to the Everyone group,
since all new users are automatically added to that
group.
AddressLine1 The user’s address – first line.
AddressLine2 The user’s address – second line.
City The user’s city name.
StateRegionProvince The user’s regional location.
PostalCode The user’s postal code.
Phone The user’s phone number.
53
Header Row Value Description
Language The user’s display language for their DocuSign
account. See the list of language codes below.
LoginPolicy The user’s login policy. Valid values include the
following:
• Column left blank – The user is created with no
policy assigned.
• FedAuthRequired – The user must log in with an
Identity Provider.
• FedAuthBypass – The user may log in with an
Identity Provider or their DocuSign username and
password.
For more information on login policies, see Setting User
Login Policy.
AutoActivate For domain users, new users can be activated
automatically for domain accounts using SSO by
setting the value to TRUE.
The user is activated automatically once the import is
complete. Memberships activated in this way will not
receive an activation email.
The access code option (adding an access code for authentication during user activation) cannot be used with
this bulk action.
The user data
In the lines of the file below the header row, add the user information with commas used as the delimiter
(separator) between each value.
If you are using Microsoft® Excel® to create your file, you can enter the header values (FirstName, LastName,
UserEmail, etc.) in different columns on the first line, enter the user information on subsequent lines, and save the
file as a CSV file. You do not need to add commas; Excel will automatically do this when you save the file.
Example Add Users – Excel:
Display language values
The Language value is the default language for the user. The value can be any of the codes shown below:
Language = Code
• Chinese Simplified = zh_CN
54
• Chinese Traditional = zh_TW
• Dutch = nl
• English = en
• French = fr
• German = de
• Italian = it
• Japanese = ja
• Korean = ko
• Portuguese = pt
• Portuguese Brazil = pt_BR
• Russian = ru
• Spanish = es
Bulk Update Users
Note: This guide is for DocuSign administrators who oversee multiple accounts. For administrators of
individual accounts, see the DocuSign eSignature Admin guide Add and Update Users in Bulk.
DocuSign Administrators and Users Administrators can bulk update existing users across one or more accounts
by uploading a comma-separated value (CSV) file. For more information on the CSV format, see Building a CSV.
You can update up to 2,000 users on an account and include up to 50 accounts per imported CSV. The maximum
number of updated users per import is 8,000.
Note: DocuSign administrators with a claimed domain can also update email addresses for users on their
domain. For more information, see Updating user email addresses.
To update multiple users with bulk actions
1. From the DocuSign Admin dashboard, click the Bulk Actions tile.
55
2. Click the USERS tile.
3. In the Users dialogue, click to select the IMPORT tab.
56
4. Select Update existing users, then click SELECT FILE TO IMPORT.
Select the CSV file to import. Make sure the formatting matches the sample CSV provided. For more details,
see Building a CSV.
5. Click IMPORT. The system asks you to confirm the import.
• Click CONFIRM to continue
• Click CANCEL to replace the file or cancel the upload process
Note: Only one type of import or export can be in progress at a time.
57
6. From the ACTIVITY tab, you can view the status of the import. Click the refresh icon to update the import
status. When the import is complete, click VIEW.
Building a CSV to bulk update users
Your CSV import file is made up of a header row with the column headers and a row of account and user data for
each user you want to update. Only existing users will be updated; to add new users, see bulk adding users.
Tip: To start, export a user list from accounts within your organization. The user data in this list can be used to
populate your bulk update CSV file.
To ensure your CSV is properly formatted, use the Sample Bulk Add CSV file as a template.
The header row for update users
The first line of the file is the header row which defines each of the columns. The header values are not required to
be in the order listed and are not case-sensitive, but the text must match listed values.
Note: If you’re changing a user’s name, use either the FirstName and LastName columns together, or the User
Name column. Your spreadsheet should only contain one of these.
*Required columns: Your CSV file must contain these columns: AccountID, APIUserName, and UserEmail. The
rest of the header values are optional.
Note: All of the required columns must remain unchanged.
The acceptable column header values for an Update Users CSV file are:
Header Row Value* Description
AccountID The 32 character API Account ID of the user’s account
in your organization. Required column.
AccountName The name of the account.
APIUserName The unique user ID. Required column.
FirstName The user’s first name.
58
Header Row Value* Description
LastName The user’s last name.
UserName The user’s full name.
UserEmail The user’s complete email address. To update the
user’s email address, use the UpdatedUserEmail
column. Required column.
eSignPermissionProfile The user’s permission profile for the eSignature
product. This value must match an existing permission
profile for the account. This value is not case-sensitive.
EnableCLM Grants the user access to the CLM product. If you
grant a user access to CLM, you must also assign them
a Permission profile for that product with the
CLMPermissionProfile column.
• TRUE – The user has access to CLM.
• FALSE – The user does not have access to CLM.
CLMPermissionProfile The user’s permission profile for the CLM product. This
value must match an existing permission profile for the
account. This value is not case-sensitive.
If you assign a user a CLM permission Profile, you must
also grant them access to the CLM product with the
EnableCLM column.
Language The user’s display language for their DocuSign
account. See the list of language codes below.
UserTitle The user’s job title.
CompanyName The user’s company name.
AddressLine1 The user’s address – first line.
AddressLine2 The user’s address – second line.
City The user’s city name.
StateRegionProvince The user’s regional location.
PostalCode The user’s postal code.
Phone The user’s phone number.
59
Header Row Value* Description
LoginPolicy The user’s login policy. Valid values include the
following:
• Column left blank = The user is created with no
policy assigned.
• FedAuthRequired = The user must log in with an
Identity Provider.
• FedAuthBypass = The user may log in with an
Identity Provider or their DocuSign username and
password.
For more information on login policies, see Setting User
Login Policy.
Group The user’s assigned groups. The Group values must
match existing Group names for the account. Additional
Group columns can be added to the file to add users to
more than one group.
You do not need to add users to the Everyone group,
since all new users are automatically added to that
group.
UpdatedUserEmail If updating domain user email addresses, use this
column to enter the new email address. For more
information see Updating user email addresses.
The user data
In the lines of the file below the header row, add the user information with commas used as the delimiter
(separator) between each value.
If you are using Microsoft® Excel® to create your file, you can enter the header values (FirstName, LastName,
UserEmail, etc.) in different columns on the first line, enter the user information on subsequent lines, and save the
file as a CSV file. You do not need to add commas; Excel will automatically do this when you save the file.
Example Update Users – Excel:
Updating user email addresses
DocuSign Administrators and Users Administrators with a claimed domain can update email addresses for users
on their domain.
You can update email addresses for your users if the following conditions are met:
• The organization has claimed the domain – for more information, see Setting Up SSO: Domains.
60
• The user’s email address is on the domain – i.e. if your domain is www.example.com, the user’s email would be
[email protected]
• If the organization has more than one claimed domain, you can also update the domain of the user to match
another claimed domain.
Note: You cannot change an email address for a user on a domain you have not claimed.
To change a user’s email address, download and populate the sample CSV provided. The UserEmail column will
remain unchanged and should contain the current user’s email address.
In the UpdateUserEmail column, enter the new email address you’d like to use. After completing the import, the
user’s email address is updated.
Display language values
The Language value is the default language for the user. The value can be any of the codes shown below:
Language = Code
• Chinese Simplified = zh_CN
• Chinese Traditional = zh_TW
• Dutch = nl
• English = en
• French = fr
• German = de
• Italian = it
• Japanese = ja
• Korean = ko
• Portuguese = pt
• Portuguese Brazil = pt_BR
• Russian = ru
• Spanish = es
Bulk Close Users
Note: This guide is for DocuSign administrators who oversee multiple accounts. This feature is not currently
available for eSignature administrators. To close users on an individual account, see Manage Users.
DocuSign Administrators and Users Administrators can bulk close existing users across one or more accounts by
uploading a comma-separated value (CSV) file. For more information on the CSV format, see Building a CSV.
If users created free or freemium accounts using a corporate email addresses, a DocuSign administrator may want
to close these accounts. You can also bulk close these external domain accounts as long as they are not linked to
an organization.
61
Note: To learn more about managing domain users and other best practices, see Establish Control of your
Company’s DocuSign Agreements.
You can close up to 2,000 users on an account across up to 50 accounts per imported CSV. The maximum
number of closed users per import is 8,000.
CONTENTS
Closing organization users
Closing external domain users
Building a CSV
Closing organization users
To close multiple user memberships using bulk actions
1. From the DocuSign Admin dashboard, click the Bulk Actions tile.
2. Click the USERS tile.
3. In the Users dialogue, click to select the IMPORT tab.
62
4. Select Close existing users.
5. (Optional) To remove the users from any signing groups they belong to, leave the Remove users from signing
groups check box selected. If you leave them in signing groups, you can always edit the groups later to
remove them. However, until you remove them, they can continue to receive any notifications sent to the signing
groups they belong to.
6. Click SELECT FILE TO IMPORT.
Select the CSV file to import. Make sure the formatting matches the sample CSV provided. For more details,
see Building a CSV.
63
7. Click IMPORT. The system asks you to confirm the import.
• Click CONFIRM to continue
• Click CANCEL to replace the file or cancel the upload process
Note: Only one type of import or export can be in progress at a time.
8. From the ACTIVITY tab, you can view the status of the import. Click the refresh icon to update the import
status. When the import is complete, click VIEW.
Closing external domain users
In order to close an external domain user, the user must be on a free or freemium account that is not linked to an
organization. A closed user will no longer have access to the account or any documents within the account.
To close multiple external domain user memberships using bulk actions
1. From the DocuSign Admin dashboard, click the Bulk Actions tile.
64
2. Click the USERS tile.
3. In the Users dialogue, click to select the IMPORT tab.
65
4. Select Close external domain users.
5. Click SELECT FILE TO IMPORT.
Select the CSV file to import. Make sure the formatting matches the sample CSV provided. For more details,
see Building a CSV.
6. Click IMPORT. The system asks you to confirm the import.
• Click CONFIRM to continue
• Click CANCEL to replace the file or cancel the upload process
Note: Only one type of import or export can be in progress at a time.
66
7. From the ACTIVITY tab, you can view the status of the import. Click the refresh icon to update the import
status. When the import is complete, click VIEW.
Building a CSV to bulk close users
Your CSV file is made up of a header row with the column headers and a row of account and user data for each
user you want to close.
Tip: Start by exporting a user list from your organization. The user data in this list can be used to populate
your bulk close CSV file.
• For organization users, use the ‘Users and Memberships’ or ‘Domain Users’ export type.
• For external domain users, use the ‘External Domain Users’ export type.
To ensure your CSV is properly formatted, use the Sample Bulk Close CSV file as a template.
The header row for close users
The first line of the file is the header row which defines each of the columns. The AccountID column must be the
first column in the file.
*Required columns: Your CSV file must contain these columns: AccountID, APIUserName, and UserEmail. No
other columns are necessary.
The acceptable column header values for a Close Users CSV file are:
Header Row Value* Description
AccountID The 32 character API Account ID of the user’s account
in your organization. Required column.
APIUserName The unique user ID. Required column.
UserEmail The user’s complete email address. Required column
67
The user data
In the lines of the file below the header row, add the user information with commas used as the delimiter
(separator) between each value.
If you are using Microsoft® Excel® to create your file, you can enter the header values (AccountID, APIUserName,
UserEmail) in different columns on the first line, enter the user information on subsequent lines, and save the file
as a CSV file. You do not need to add commas; Excel will automatically do this when you save the file.
Account Settings Export
DocuSign administrators with the Administrator or Settings Administrator permission profiles can download and
view all settings for eSignature accounts in the organization. This information can be used to compare settings
across accounts and facilitate audits for compliance.
You can export settings information for up to 40 accounts at a time. Exports are downloaded as a commaseparated value (CSV) file.
To export account settings
1. From the DocuSign Admin dashboard, click the Bulk Actions tile.
2. Click the ACCOUNTS tile.
68
3. Click EXPORT.
Note: If your organization has more than 40 accounts, select the accounts to include, then click EXPORT.
4. From the ACTIVITY tab, you can view the status of the export. Click the refresh icon to update the export
status. When the export is complete, click VIEW.
Note: Only one type of import or export can be in progress at a time.
69
5. Click DOWNLOAD to download the export CSV. When finished, click CLOSE.
Note: Your organization can store a combination of up to 100 account settings exports and user exports at
a time; both are retained for 90 days. To manually delete exports, click DELETE EXPORT, then click
DELETE.
Account Settings Import
Note: This guide is for DocuSign administrators who oversee multiple accounts. This feature is not available
for individual eSignature accounts.
DocuSign administrators with the Administrator or Settings Administrator permission profiles can import updated
account settings for one or more eSignature accounts by uploading a comma-separated value (CSV) file. This is
useful for making organization-wide changes to specific account settings and replicating settings across multiple
accounts. It can also be used to clone account settings from the DocuSign Demo environment to accounts in
Production.
You can import settings for up to 40 accounts at a time.
Note: Export a CSV of settings for the accounts you want to modify by using Account Settings Export. With
that file as a template, you can update and import the new settings. For more information on the CSV format,
see Preparing a CSV.
To update multiple accounts using account settings import
1. From the DocuSign Admin dashboard, click the Bulk Actions tile.
70
2. Click the ACCOUNTS tile.
3. In the Accounts dialogue, click the IMPORT tab.
71
4. Click SELECT FILE TO IMPORT.
Select the CSV file to import. For more details on preparing an import, see Preparing a CSV.
5. Click IMPORT. The system asks you to confirm the import.
72
6. From the ACTIVITY tab, you can view the status of the import. Click the refresh icon to update the import
status. When the import is complete, click VIEW.
Preparing a CSV for account settings import
Your CSV import file is made up of a header row with three standard column headers and additional columns for
each account. The rows of the CSV contain the settings available for your accounts and their values.
Because accounts and account plans differ, it is best to use an export of your accounts as a template.
To start, export a CSV of settings for the accounts you want to modify by using Account Settings Export. You can
update settings for your accounts with the values provided in the settings mapping table.
The header row for account settings import
The first line of the file is the header row which defines each of the columns. The header values must be in the
order listed.
Required columns: Your CSV file must contain these columns: Category, Key, and additional columns for any
accounts to be updated. The Name column is optional and is provided for your information.
Each account listed must have the account name as the header, with the account number and the environment of
the account (Demo or Production) below it.
Note: When importing settings from demo accounts to production accounts, ensure that the account name,
account ID, and environment are correct before uploading the file.
Account settings rows and their values
To view all potential account settings and their values, download the settings mapping table.
73
The table uses single quotation marks to distinguish various values; when changing a value on your import CSV,
remove the quotation marks.
Note: Because account plans differ, some of the settings displayed in this file may not appear on your account
export. Contact your account manager with any questions.
There are three types of settings : Boolean, numeric, and text value.
Organization Reporting
Note: This guide is for DocuSign administrators who oversee multiple accounts. Administrators of individual
eSignature accounts should review Using Reports – eSignature User Guide.
DocuSign Administrators can generate a variety of reports for envelope, user, and group activity. These reports
can be run on any accounts in the organization, and each report can include up to 40 accounts at a time. Data
can be pulled from up to a year prior to the report date. Reports are exported in a CSV file with separate rows for
each account and labeled columns containing the report results.
Note: If the organization has more than 40 accounts, you will be prompted to select which accounts you’d like
to report on.
Report Types
Note: If you do not see these reports in your organization, they may not be enabled. Contact your account
team for more information.
Organization reporting allows you to perform standard, account-level reports at the organization level. Each report
is broken down per account, with multiple accounts in a single report. For more information on the contents of
these standard reports, see our list of standard reports
The following report types are available in DocuSign Admin:
• Envelope Report: Information on envelopes sent from all accounts.
• Envelope Volume Report: Envelope status totals for a specified time period
• Envelope Recipient Report: Sender and recipient information on sent envelopes
• Envelope Status Report: Totals based on envelope status
74
• Envelope Velocity Report: Totals based on envelope completion time
• Recipient Activity Report: Recipient activity on all sent envelopes
• User Activity Report: User activity across all accounts
• Group Activity Report: Activity broken down by group
• Account Activity Report: Summary of user, envelope, and template data across all accounts
To export an organization report
1. From the DocuSign Admin dashboard, click the Bulk Actions tile.
2. Click the ENVELOPE REPORTS tile.
3. Select the report type and the accounts you’d like to report on.
Note: If your organization contains less than 40 accounts, the report will return results for all accounts.
4. Select the time period you’d like to report on, then click EXPORT.
5. From the ACTIVITY tab, you can view the status of the report. Click the refresh icon to update the status. When
the report is complete, click VIEW.
75
6. Click DOWNLOAD to download the report as a CSV file.
Accounts
An organization is comprised of multiple DocuSign eSignature accounts. When you first create an organization,
the account used in this process becomes the default account and is used for just-in-time provisioning of new
users. You can consolidate management of the DocuSign eSignature accounts used across your company, and
their users, by linking them to the organization.
You can also invite external domain accounts to link with your organization.
CONTENTS
View organization accounts
View and compare account settings
Link accounts to build out your organization and extend SSO
Invite external domain accounts to link with your organization
Find accounts linked to another organization
Related topics
View organization accounts
From the Accounts tile, you get a list of all the accounts that are part of the organization.
76
These are the accounts that take advantage of the SSO provisioning and identity management set up for your
organization. The users in the accounts can all be viewed and managed through DocuSign Admin, and you can
assign new account memberships to any account in the organization.
View and compare Account Settings
A DocuSign administrator with either the Administrator or Settings permission profile can view and compare the
settings for linked accounts.
You can search for settings by category or setting name and filter by matching or differing values.
Note: If this feature is not available, it may not be enabled for your organization. Contact your account
manager to enable this feature.
To view and compare account settings
1. From the DocuSign Admin dashboard, click Accounts.
2. In the Manage Accounts list, locate the account you want to view by searching or scanning the list.
77
3. Click the Actions menu for the account select View Account Settings.
4. Select the account you want to compare from the drop-down list and click COMPARE.The settings for both
accounts are displayed side by side. Settings that are different between the two accounts are highlighted in
red.
5. You can search for a setting by category or by name. To search by only matching or differing settings, click the
filters icon.
78
6. Select the filter setting you want applied. The corresponding settings for both accounts are displayed.
Linking accounts to an organization
The DocuSign administrator can link and unlink accounts to the organization, allowing them to manage the
accounts in their organization on their own, without any need to engage DocuSign Professional Services.
Linking accounts, along with SSO identity management, is the critical activity in building out an organization. When
you link accounts, you gain the following:
• Builds the user base for management. Users in linked accounts can be managed from the organization.
Users can be granted memberships to multiple accounts in the organization.
• SSO just-in-time provisioning. When a user logs in using a reserved domain email, if they do not have an
account membership on an account in the organization, then just-in-time provisioning creates an account for
them in the default organization account.
Linking accounts allows your organization administrators to manage all account users with the centralized tools
provided in DocuSign Admin.
Note: You can also invite external domain accounts to link with your organization. To send an invitation, see
Inviting external domain accounts to link.
Requirements for linking an account:
• You must be a DocuSign Administrator for your organization
• You must have full eSignature Administrator permissions on the account to be linked
• The account must not already be linked to an organization
Note: If you meet these criteria but do not see your account as available to link, you may need to extend
membership rights to all of your memberships. For more information, see the troubleshooting information.
To link an account, you must be a full DocuSign eSignature administrator on that account. The account must not
already be linked to an organization.
To link administered accounts to an organization
1. From the DocuSign Admin dashboard, click Accounts.
79
2. In the Manage Accounts list, click Link Accounts then select Link Administered Accounts.
Link Administered Accounts is available only if there are any accounts for which you have the necessary
administrator permissions that are not already linked to an organization.
3. In the Link Accounts dialog, the accounts for which you are an account administrator with All Administration
Capabilities permissions are displayed. Select the accounts you would like to link to the organization.
4. Click LINK ACCOUNTS.
To unlink accounts from an organization
The DocuSign administrator can unlink accounts from the organization. You cannot unlink the organization’s
default account. When you unlink an account, the account and its users can no longer be managed through the
organization.
80
1. From the DocuSign Admin dashboard, click Accounts.
2. In the Manage Accounts list, locate the account you want to unlink from the organization by searching or
scanning the list.
3. Click the Actions menu for the account to modify and select Unlink from Organization.
4. Provide a reason for unlinking the account and click Confirm.
The account is unlinked from the organization.
Inviting External Domain Accounts to Link
DocuSign administrators with the Administrator permission profile can invite external domain accounts to link with
the organization. External domain accounts are eSignature accounts that contain a user whose email address is
under your organization’s claimed domain.
If the eSignature account has multiple administrators, the invitation will be sent to the five most recently active
administrators. The administrator can choose to accept or decline the link, though if they decline, they must
provide a reason.
Note: You can generate a report of all users with external domain accounts. For more information, see User
List Exports.
81
To send an invitation to link with the organization
1. From the DocuSign Admin dashboard, click Accounts.
2. In the Manage Accounts list, click Link Accounts then select Invite Domain Accounts.
3. If prompted, select a domain to search under and click SEARCH.
Note: If a search has already been completed, click SEARCH AGAIN to begin a new search.
4. Click REFRESH to reload the page with your search results.
Note: The search may take some time, you can leave the page. Return later by clicking Link Accounts and
selecting Invite Domain Accounts on the Accounts page.
82
5. Select the accounts you want to invite to the organization, then click SEND INVITATIONS.
The accounts are added to the list of linked accounts with the status “Pending”. The eSignature administrators
receive an email invitation and must accept or decline to proceed.
Managing invitations
View and manage pending, accepted, or declined invitations from the Manage Accounts list. You can resend or
cancel pending invitations and delete declined invitations.
1. From the DocuSign Admin dashboard, click Accounts.
2. In the Manage Accounts list, locate the invited account you want to view by searching or scanning the list.
3. Click the Actions menu for the account and select one of the following:
• Invitation Details – This provides information such as who sent the invitation, when it was sent, and when it
was accepted or declined. If declined, it will also include the decline reason provided.
• Resend Invitation – This action sends the invitation again.
• Cancel Invitation – This action cancels the invitation. The invited eSignature administrator will no longer be
able to accept or decline the invitation. This will also remove the account from the Manage Accounts list.
• Delete Invitation – This action is only available for declined invitations. This removes the account from the
Manage Accounts list.
Finding accounts linked to another organization
By default the list of accounts to link shows only those accounts for which you are an account administrator and
that are not yet linked to an organization. If you have accounts that are linked to another organization, you can
83
change the default filter to find them. Once you identify these accounts, if you want to link them to your current
organization, you must first unlink them from the existing organization.
1. From the DocuSign Admin dashboard, click Accounts.
2. In the Manage Accounts list, click Link Accounts then select Link Administered Accounts.
3. In the Link Accounts dialog, click FILTERS.
4. Select the Has Organization check box and click APPLY.
The list of accounts shows any accounts for which you are an administrator and that are already linked to an
organization.
Troubleshooting
Why can’t I access DocuSign Admin on all of my accounts within the organization?
This can happen if you are a member of accounts on more than one server environment (NA1, NA2, EU, AU, etc.).
If you can access DocuSign Admin on some, but not all of your associated accounts, or are unable to link an
account for which you are an eSignature Administrator, follow these steps:
1. From the DocuSign Admin dashboard, click Users.
2. Enter your email address into the search bar, then click SEARCH.
3. From the user details page, click EXTEND ORGANIZATION RIGHTS TO ALL MEMBERSHIPS.
All of your account memberships within the organization can now access DocuSign Admin.
84
Related topics
For more information on topics related to organization accounts, see the following:
• Establish Control of your Company’s DocuSign Agreements: Gain control of your company’s agreements with
proven best practices and procedural guidelines.
• Default account for an organization: The default account for an organization is used for just-in-time provisioning
of new users.
• Navigate to an account: From DocuSign Admin, you can navigate back to the account administration app for
any account on which you are an administrator.
• Managing users: Linking accounts to your organization enables the administrators to manage users from
central organization controls.
• Add DocuSign administrators: Add DocuSign administrators to help manage and build out your organization,
linking additional accounts which they control.
Navigating to an Account
Note: This guide is for DocuSign administrators who oversee multiple linked accounts. For other
administrators, see Switch Accounts – DocuSign User Guide.
Within DocuSign Admin, all DocuSign administrators can manage the users on any linked account. For the
organization’s reserved domains, admins can also manage any users using a domain email for any DocuSign
account. However, for full account administration of an account, you’ll want to return to the DocuSign eSignature
Admin view. You must be an administrator on an account in order to navigate to the account’s administration view.
Use the admin switcher
You can view a list of just the accounts for which you are an account administrator. From this list, you can navigate
to eSignature Admin for any one of the accounts.
1. From anywhere in DocuSign Admin, click SWITCH TO….
85
2. The admin switcher appears. It displays a list of all accounts for which you are an account administrator.
3. Click ESIGNATURE ADMIN to go to the eSignature Admin home page for that account.
Navigate to a linked account
If your account is linked to the organization, you can also navigate to the DocuSign eSignature Admin view from
the Accounts list.
1. From the DocuSign Admin dashboard, click the Accounts tile.
2. Locate your account in the list of accounts and click on it to navigate to the DocuSign eSignature Admin view
for the selected account
Note: To link additional accounts, review Managing Accounts.
Default Account and Just-in-Time Provisioning
Note: This guide is for DocuSign administrators who oversee multiple accounts. To set a default account as a
user, see Switch Accounts and Set a Default Account.
When an organization is created, the eSignature account from which it was created becomes the default account.
The default account cannot be unlinked from the organization and can be used for just-in-time provisioning of new
86
users. Once you link additional accounts to the organization, you can change the default account to any of the
other linked accounts.
The default account and permission profile is used for basic just-in-time provisioning of new users. For more
advanced control, you can set up your identity provider to include provisioning details in SAML and add users to
different accounts and permission profiles.
CONTENTS
Edit the default account and permission profile
About just-in-time provisioning
Related topics
To edit the default account and permission profile
You can edit the default account and permission profile from the Identity Providers page.
1. From the DocuSign Admin dashboard, click Identity Providers.
2. On the Identity Providers page, you can see the current selections for the default account and the default
permission profile.
3. Click Edit.
87
4. In the Change Default Account and Permission Profile dialog, make new selections as desired, and click
Change.
Just-in-Time Provisioning
Through the organization’s SSO setup, you can provision domain users with a DocuSign eSignature account the
first time they log in. Just-in-time provisioning reduces the friction and administrative overhead for adding users to
accounts in your organization.
When a user logs in using a reserved domain email, the system checks to see if the email exists in any of the
organization accounts. If the email is not found, then a new user account is created in the organization. Typically,
the new account is added to the organization’s default account.
Just-in-time provisioning is defined on your Identity Provider setup and can be implemented in two ways:
• Basic provisioning using the default account: All new users are added to the organization’s default account
and assigned the default permission profile.
• Advanced provisioning to specific accounts: Set up your identity provider to include provisioning details in
SAML and add users to specific accounts and permission profiles.
Related topics
For more information on topics related to an organization’s default account, see the following:
• Creating an organization: How to create an organization.
• Establish Control of your Company’s DocuSign Agreements: Learn how you can gain control of your company’s
agreements with proven best practices and procedural guidelines.
• Accounts: Link and unlink organization accounts.
• Single Sign-On overview: An introduction to SSO and organizations.
• Identity Providers: How to set up and manage your organization’s identity provider and define just-in-time
provisioning.
88
User Management
Note: This guide is for DocuSign administrators who oversee multiple accounts. For administrators of
individual accounts, see Manage Users – DocuSign eSignature Admin.
DocuSign Admin provides a unique and powerful view for managing your users and securing the company’s use of
DocuSign. From the Users page, DocuSign administrators can manage all organization users, and can add and
close users. User details and account memberships can also be managed through the organization.
DocuSign administrators with the Users Administrator permission profile can manage non-administrator
organization users only and only the account memberships with non-administrator permissions. DocuSign
Administrators can manage all users and memberships, including other DocuSign Administrators and users who
have administrator permissions on their account memberships.
CONTENTS
User Management Overview
Search for a user by email address
Users quick lists
User details
Add users
User Management Overview
With DocuSign Admin, a user is the focal point of management. DocuSign administrators can search for a user
within their organization and obtain information regarding that user, including language preference, security log in
policy, and all their account memberships and associated permission profiles and groups. DocuSign
administrators can directly manage a user from one location and gain confidence through knowledge of which
accounts that user has access to and what permissions they have on those accounts. Admins can also update
users from this centralized view and have the changes propagated across all account memberships allowing for
quicker and easier management of their users.
This centralized control is a significant advantage over managing a user from within a specific eSignature account.
eSignature administrators can make changes to a user’s membership only; they cannot modify other user profile
details, and any changes affect a single membership only.
DocuSign Admin combines centralized user management with reserved domains, providing a unique and powerful
view and management capabilities of domain-based users. Through reserved domains and centralized user
management, DocuSign administrators have visibility into every corporate user with a DocuSign account. Quickly
view all reserved domain based users by selecting the Domain User Quick List. The list displays all users that have
a DocuSign account using the reserved domain. A DocuSign administrator has additional management capabilities
on a domain user including: change email address, define a security log-in policy, view all account memberships
including those external to the organization, and define the default account to be used for signing and sending.
The Users page
The Users page is where you can add a new user or locate an existing user to manage.
89
Types of users in an organization
An organization can contain two categories of users:
• Account Users: These are the users who are members of the accounts that are linked to the organization.
• Domain Users: If your organization has any reserved domains, then all users with a DocuSign account that
uses a reserved domain email automatically come under the organization.
To search for a user by email address
You can locate any user in your organization by their email address.
1. From the DocuSign Admin dashboard, click Users.
2. Enter the user’s email address and press Enter to search.
90
3. If there is a match, the user’s information appears.
Users Quick Lists
The Users Quick Lists allow you to view lists of users by either domain or account. The lists present all users for a
single account or domain at a time. Filter options are provided to select a specific account or domain to view, as
well as user status.
To view all users for a reserved domain
If your organization has reserved domains, you can view all users who are using a domain email address for a
DocuSign account membership.
1. From the DocuSign Admin dashboard, click Users.
2. From the Quick Lists, select Domain Users. The Domain Users page appears, showing the users belonging to
one domain.
91
3. To select a different domain, click FILTERS to open the filter options. The Domains list contains the reserved
domains for your organization. Select a domain and click APPLY.
You can also filter by user status to show only Active, Pending, or Closed users for the selected domain.
To view all users for an account
You can view all users who are members in an account that is linked to your organization.
1. From the DocuSign Admin dashboard, click Users.
2. From the Quick Lists, select Account Users. The Account Users page appears, showing the active users
belonging to the default account for the Organization, and across all reserved domains.
92
3. To select a different account to view, click FILTERS to open the filter options. The Accounts list contains the
accounts linked to your organization. Select an account and click APPLY.
You can also filter by a single domain and user status to show only Active, Pending, or Closed users for the
selected domain and account.
User Details
The user details page provides information about a specific user. User profiles, account memberships, and other
user-specific settings are displayed here.
To view and manage details for a user
You can view and manage a user’s profile and account memberships, security settings, and organization settings
from the user details page.
1. From the DocuSign Admin dashboard, click Users.
2. Using either the Quick Lists or the search bar, navigate to a user.
93
3. Click on a user to view their details. Select a tab for more information:
• ACTIONS: Click ACTIONS on the user details page to add an account membership, make the user a
DocuSign administrator, or close all of the user’s account memberships.
• MEMBERSHIPS: Edit membership details for an account, close an account membership, reactivate a closed
account membership, or resend an activation invitation to a pending account by clicking Actions on the
account.
◦ For domain users, you can also manually activate pending memberships and assign the user’s default
account for signing and sending. Domain users activated in this way will not receive an activation
invitation.
◦ You can add memberships to accounts within the organization by clicking
ADD ACCOUNT MEMBERSHIP. If the user is already a member of all organization accounts, regardless
of status (Active/Pending/Closed), this option is unavailable.
Note: If ADD ACCOUNT MEMBERSHIP is unavailable, you can manage the user’s membership
details for each account by clicking Actions on the account.
• PROFILE: Edit the user’s full name, preferred language, physical address, and job title. Changes to a user’s
physical address, job title, and phone number are populated across all of the user’s accounts within the
org.
◦ For domain users, you can also modify the email address associated with the user. This is generally not
recommended and should be done with great caution.
• SECURITY: Available for domain users only. Edit the domain user’s login policy. See User Login Policy for
more details.
• ORGANIZATION: If the user is a DocuSign administrator, you can modify their DocuSign administrator
permission profile here.
• CONNECTED APPS: Available for domain users only. Authorize an application for a single domain user and
limit access by specifying permissions. To authorize an application for all domain users, see Connected
Apps.
94
Note: You must be a DocuSign administrator with DocuSign Administrator permissions to modify
another DocuSign administrator’s permissions.
Add users
DocuSign eSignature administrators of linked accounts can continue to add users directly in their account using
the standard DocuSign eSignature Admin app. DocuSign administrators can also add users through the
organization controls.
You can also leverage your Single Sign-On configuration and use reserved domains and just-in-time provisioning
to add new users automatically when they first log in to DocuSign.
To add a user
DocuSign administrators with the User permission profile can add users and memberships with non-administrator
permission profiles only. You must have the full DocuSign Admin permission profile to add memberships with an
administrator permission profile. See Organization Administrators for more details.
1. From the DocuSign Admin dashboard, click Users.
2. Click Add User.
95
3. Enter the user’s full name, email address, and any other profile information, then click NEXT: ACCOUNTS.
The user’s profile information is applied to all account memberships.
Note: If the user is already part of your reserved domain and has an existing DocuSign account, the
Existing User dialog appears, allowing you to edit the user.
4. Add an account membership from the Account drop-down list. All accounts linked to the organization are
available to choose from.
5. If necessary, enable applications for the user.
Note: eSignature is enabled for all users by default. If CLM is available, click the toggle to enable access.
6. Give the user a permission profile for each enabled application.
7. Assign the user to any necessary groups. This step is only available if the selected account has one or more
defined groups.
96
8. Click NEXT to add the account membership.
9. If necessary, click ADD ACCOUNT MEMBERSHIP and repeat steps 4-8 to add the user to additional accounts.
97
10. Review the user’s account memberships, then click NEXT: SECURITY.
11. If necessary, adjust the user’s security settings, then click NEXT: REVIEW.
• For domain users: You can specify the login policy. The login policy is based on the specifications defined
by the domain. The default policy is generally recommended, but you may need to make exceptions for
certain users, such as an SSO administrator.
• For non-domain users: You can add an access code to the account activation email. If you add a code,
you must provide the code to the user in order for them to activate their account.
98
12. Review the user’s information, then click SAVE USER.
Note: You can modify the user’s profile information, security settings, or account memberships by clicking
EDIT on the area you’d like to update.
The user is created and added to the selected accounts.
• For domain users with Auto-activate memberships enabled: New users can be activated automatically
for domain accounts using SSO. This can be enabled in the Domain Settings. If enabled, new memberships
are activated automatically. Memberships activated in this way will not receive an activation email.
• For all other users: The user appears as Pending under the account list. The user receives an activation
email and must complete the activation steps to activate their new account. Once they do so, their
membership status changes to Active.
Related topics
• Single Sign-On overview: Provision new users and enforce secure access management across all your
corporate applications.
• Registered domains: Control domain users and accounts.
99
• Change domain settings: Modify the security settings for a domain.
• Set user login policy: Adjust the security settings for an individual user in your organization domain.
• Default account and just-in-time provisioning: Adding users automatically to a default account.
Groups
Note: This guide is for organizations that have DocuSign CLM. For organizations that have no linked accounts
with DocuSign CLM, see Manage Groups – DocuSign eSignature Admin. For more information on DocuSign
CLM, contact your account team.
Groups are used to organize users into functional units within accounts. Accounts with CLM manage groups in
DocuSign Admin.
DocuSign administrators can manage groups for both eSignature and CLM. They can create or delete groups and
add or remove group members.
CLM accounts must use DocuSign Admin to manage groups. eSignature-only accounts can manage groups in
DocuSign Admin or eSignature Admin.
• In eSignature, groups can be used to control access to templates and branding.
• In CLM, groups can be used to control access to folder security, tasks, and other views.
Note: Signing brands are assigned to a group through eSignature Admin. For more information, see Assigning
Brands to Groups – DocuSign eSignature Admin.
CONTENTS
Add a new group
Edit an existing group
Delete a group
Related topics
To create a new group
DocuSign administrators can create new groups and add users to the group.
1. From the DocuSign Admin dashboard, click Groups.
100
2. Click ADD GROUP.
3. Enter a name for the group and select an account.
Note: Groups created for an account with CLM enabled will appear in both eSignature and CLM Admin.
4. When finished, click ADD GROUP.
5. Click ASSIGN USERS.
6. Select the users to add to the group, then click ADD USERS.
The group is created and the selected users are added to the group.
To edit an existing group
DocuSign administrators can update the group name and add or remove users.
1. From the DocuSign Admin dashboard, click Groups.
2. Select an account to and locate the group to edit.
101
3. Click ACTIONS, then click Edit.
4. If necessary, update the group name.
5. To add new users, click ASSIGN USERS.
6. Select the users to add to the group, then click ADD USERS.
The selected users are added to the group.
7. To remove users, select the users from the list, then click REMOVE USERS.
The selected users are removed from the group.
To delete a group
Deleting a group removes it from the selected account. If the group is on an account with CLM enabled, it will be
removed from both eSignature and CLM.
1. From the DocuSign Admin dashboard, click Groups.
2. Select an account to and locate the group to edit.
102
3. Click ACTIONS, then click DELETE.
4. Click DELETE.
The group is deleted.
Related topics
For more information on topics related to Groups, see the following:
• Manage Groups – DocuSign eSignature Admin
• Groups – DocuSign CLM
• Group User Management – DocuSign CLM
Federated ID
For domain users in your organization, for each user who authenticates through your identity provider (IdP),
DocuSign receives and records a unique identifier. This identifier is the Federated ID seen on the user Security
Profile.
103
The Federated ID is the unique identifier for a user in the DocuSign system and is defined and provided by your
IdP. When a user logs in through SSO, this identifier is added to their user record in DocuSign. The Federated ID
is the primary identifier for a user logging in to DocuSign through SSO and is combined with an email address to
identify the user.
If your IdP changes the unique identifier for a user, the user cannot log in until you clear the stored Federated ID.
After you clear the stored identifier, the next time the user logs in through SSO, the new Federated ID is
automatically recorded for them.
For details on the underlying SAML specifications and best practices for this unique identifier, see Identity
Providers and review the NameID specification details.
To clear a user’s federated ID
1. From the DocuSign Admin dashboard, click Users and locate the user by searching or using one of the quick
lists.
2. On the user’s page, click the Security link in the left-hand navigation.
3. In the Federated IDs section, click CLEAR for the identity provider identifier you need to remove.
4. Click CONFIRM to confirm your action and clear the recorded Federated ID.
The Federated ID is cleared. The next time the user logs in through SSO, the new identifier is added
automatically.
104
Bulk User Actions
Note: This guide is for DocuSign administrators who oversee multiple accounts. For administrators of
individual accounts, see User Bulk Actions – DocuSign eSignature Admin.
As a DocuSign administrator, you can view and manage details for multiple users at a time. Bulk user actions
enable DocuSign administrators to manage details for all users within an organization. You can add or update
users, export lists of existing users, or close users in bulk by uploading a CSV file.
CLM administrators can also manage users in bulk across all organization accounts. This includes managing CLM
permissions for all eligible users.
These bulk actions require that you have an Enterprise Pro plan or above or have the Organization Management
add-on.
Note: CLM administrators without the required plan or add-on are also able to manage users with these bulk
actions, though they are limited to working within a single account at a time.
The following bulk actions are available:
• Bulk Add New Users
• Bulk Update Users
• Bulk Close Users
• User List Exports
Bulk Add New Users
Note: This guide is for DocuSign administrators who oversee multiple accounts. For administrators of
individual accounts, see the DocuSign eSignature Admin guide Add and Update Users in Bulk.
DocuSign Administrators and Users Administrators can bulk add new users to one or more accounts by uploading
a comma-separated value (CSV) file. The format of the CSV must match the sample file. For more information on
the CSV format, see Building a CSV to bulk add users.
You can add up to 2,000 users to an account and include up to 50 accounts per imported CSV. The maximum
number of users per import is 8,000.
Note: Only one type of import or export can be in progress at a time.
To add users in bulk
1. From the DocuSign Admin dashboard, click the Users tile.
105
2. Click the BULK ACTIONS menu and select Add Users.
3. In the Add Users dialogue, click UPLOAD FILE.
Note: You can also drag and drop your prepared CSV file in the upload area.
4. Select the CSV file to import. Make sure the formatting matches the sample CSV provided. For more details,
see Building a CSV to bulk add users.
Note: Click DOWNLOAD TEMPLATE to download a sample CSV file that you can use to build your import.
5. Click SUBMIT.
6. View the status of your import in the Recent Bulk Actions section on the Users page. Click the refresh icon to
update the import status. When the import is complete, click VIEW.
106
Building a CSV to bulk add users
Your CSV import file is made up of a header row with the column headers and a row of user or account data for
each user you want to add to an account. Only new users can be imported. Any changes to existing users will be
ignored. To make changes to existing users, see Bulk Update Users.
To ensure your CSV is properly formatted, use the Sample Bulk Add CSV file as a template.
The header row for add users
The first line of the file is the header row which defines each of the columns. The header values are not required to
be in the order listed and are not case-sensitive, but the text must match listed values.
*Required columns: Your CSV file must contain these columns: AccountID, FirstName, LastName, UserEmail, and
eSignPermissionProfile. The rest of the header values are optional.
Note: For the user’s name, you can use either the FirstName and LastName columns together, or the User
Name column. Your spreadsheet should only contain one of these; if both FirstName/LastName and
UserName columns are present in your CSV, the values entered in the UserName column take precedence.
The EnableCLM and CLMPermissionProfile columns are only applicable for organizations with the CLM product. If
your organization doesn’t have a CLM account, leave these columns blank.
Note: The LoginPolicy and AutoActivation columns only apply to organizations with a reserved domain and
Single Sign-On (SSO) through an Identity Provider. For more information, see the DocuSign Single Sign-On
Overview.
The acceptable column header values for an Add Users CSV file are:
Header Row Value Description
AccountID The 32 character API Account ID of the user’s account
in your organization. This can be found in the in the API
and Keys section of the account. Required column.
AccountName The name of the user’s account in your organization.
The account name must match the Account ID
provided.
FirstName The user’s first name. Required column.
LastName The user’s last name. Required column.
UserName The user’s full name. This can be used instead of
FirstName and LastName. This is useful for languages
which place family names before given names.
***Required column. If this column is used instead of
FirstName and LastName, it is required.
UserEmail The user’s complete email address. Required column.
eSignPermissionProfile The user’s permission profile for the eSignature
product. This value must match an existing permission
profile for the account. This value is not casesensitive.Required column.
107
Header Row Value Description
EnableCLM Grants the user access to the CLM product. If you
grant a user access to CLM, you must also assign them
a Permission profile for that product with the
CLMPermissionProfile column.
• TRUE – The user has access to CLM.
• FALSE – The user does not have access to CLM.
CLMPermissionProfile The user’s permission profile for the CLM product. This
value must match an existing permission profile for the
account. This value is not case-sensitive.
If you assign a user a CLM permission Profile, you must
also grant them access to the CLM product with the
EnableCLM column.
UserTitle The user’s job title.
CompanyName The user’s company name.
Group The user’s assigned groups. The Group values must
match existing Group names for the account. Additional
Group columns can be added to the file to add users to
more than one group.
You do not need to add users to the Everyone group,
since all new users are automatically added to that
group.
AddressLine1 The user’s address – first line.
AddressLine2 The user’s address – second line.
City The user’s city name.
StateRegionProvince The user’s regional location.
PostalCode The user’s postal code.
Phone The user’s phone number.
Language The user’s display language for their DocuSign
account. See the Display language values below.
108
Header Row Value Description
LoginPolicy The user’s login policy. Valid values include the
following:
• Column left blank – The user is created with no
policy assigned.
• FedAuthRequired – The user must log in with an
Identity Provider.
• FedAuthBypass – The user may log in with an
Identity Provider or their DocuSign username and
password.
For more information on login policies, see Setting User
Login Policy.
AutoActivate For domain users, new users can be activated
automatically for domain accounts using SSO by
setting the value to TRUE.
The user is activated automatically once the import is
complete. Memberships activated in this way will not
receive an activation email.
The access code option (adding an access code for authentication during user activation) cannot be used with
this bulk action.
The user data
In the lines of the file below the header row, add the user information with commas used as the delimiter
(separator) between each value.
If you are using Microsoft® Excel® to create your file, you can enter the header values (FirstName, LastName,
UserEmail, etc.) in different columns on the first line, enter the user information on subsequent lines, and save the
file as a CSV file. You do not need to add commas; Excel will automatically do this when you save the file.
Example Add Users – Excel:
Display language values
The Language value is the default language for the user. The value can be any of the codes shown below:
Language = Code
• Chinese Simplified = zh_CN
• Chinese Traditional = zh_TW
• Dutch = nl
109
• English = en
• French = fr
• German = de
• Italian = it
• Japanese = ja
• Korean = ko
• Portuguese = pt
• Portuguese Brazil = pt_BR
• Russian = ru
• Spanish = es
Bulk Update Users
Note: This guide is for DocuSign administrators who oversee multiple accounts. For administrators of
individual accounts, see the DocuSign eSignature Admin guide Add and Update Users in Bulk.
DocuSign Administrators and Users Administrators can bulk update existing users across one or more accounts
by uploading a comma-separated value (CSV) file. For more information on the CSV format, see Building a CSV to
bulk update users.
You can update up to 2,000 users on an account and include up to 50 accounts per imported CSV. The maximum
number of updated users per import is 8,000. Only one type of import or export can be in progress at a time.
Note: DocuSign administrators with a claimed domain can also update email addresses for users on their
domain. For more information, see Updating user email addresses.
To update users in bulk
1. From the DocuSign Admin dashboard, click the Users tile.
2. Click the BULK ACTIONS menu and select Update Users.
110
3. In the Update Users dialogue, click UPLOAD FILE.
Note: You can also drag and drop your prepared CSV file in the upload area.
4. Select the CSV file to import. Make sure the formatting matches the sample CSV provided. For more details,
see Building a CSV to bulk update users.
Note: Click EXPORT USERS, select the user list type, then click EXPORT to export a CSV list of all users
in your organization. You can use this list as a template to build your import. For more information on the
various user list types, see User List Exports.
5. Click SUBMIT.
6. View the status of your import in the Recent Bulk Actions section on the Users page. Click the refresh icon to
update the import status. When the import is complete, click VIEW.
Building a CSV to bulk update users
Your CSV import file is made up of a header row with the column headers and a row of account and user data for
each user you want to update. Only existing users will be updated; to add new users, see Bulk Add New Users.
Tip: To start, create a user list from accounts within your organization. The user data in this list can be used to
populate your bulk update CSV file.
To ensure your CSV is properly formatted, use the Sample Bulk Add CSV file as a template.
The header row for update users
The first line of the file is the header row which defines each of the columns. The header values are not required to
be in the order listed and are not case-sensitive, but the text must match listed values.
Note: If you’re changing a user’s name, use either the FirstName and LastName columns together, or the User
Name column. Your spreadsheet should only contain one of these.
*Required columns: Your CSV file must contain these columns: AccountID, APIUserName, and UserEmail. The
rest of the header values are optional.
111
Note: All of the required columns must remain unchanged.
The acceptable column header values for an Update Users CSV file are:
Header Row Value* Description
AccountID The 32 character API Account ID of the user’s account
in your organization. Required column.
AccountName The name of the account.
APIUserName The unique user ID. Required column.
FirstName The user’s first name.
LastName The user’s last name.
UserName The user’s full name.
UserEmail The user’s complete email address. To update the
user’s email address, use the UpdatedUserEmail
column. Required column.
eSignPermissionProfile The user’s permission profile for the eSignature
product. This value must match an existing permission
profile for the account. This value is not case-sensitive.
EnableCLM Grants the user access to the CLM product. If you
grant a user access to CLM, you must also assign them
a Permission profile for that product with the
CLMPermissionProfile column.
• TRUE – The user has access to CLM.
• FALSE – The user does not have access to CLM.
CLMPermissionProfile The user’s permission profile for the CLM product. This
value must match an existing permission profile for the
account. This value is not case-sensitive.
If you assign a user a CLM permission Profile, you must
also grant them access to the CLM product with the
EnableCLM column.
Language The user’s display language for their DocuSign
account. See the Display language values below.
UserTitle The user’s job title.
CompanyName The user’s company name.
AddressLine1 The user’s address – first line.
AddressLine2 The user’s address – second line.
City The user’s city name.
StateRegionProvince The user’s regional location.
PostalCode The user’s postal code.
Phone The user’s phone number.
112
Header Row Value* Description
LoginPolicy The user’s login policy. Valid values include the
following:
• Column left blank = The user is created with no
policy assigned.
• FedAuthRequired = The user must log in with an
Identity Provider.
• FedAuthBypass = The user may log in with an
Identity Provider or their DocuSign username and
password.
For more information on login policies, see Setting User
Login Policy.
Group The user’s assigned groups. The Group values must
match existing Group names for the account. Additional
Group columns can be added to the file to add users to
more than one group.
You do not need to add users to the Everyone group,
since all new users are automatically added to that
group.
UpdatedUserEmail If updating domain user email addresses, use this
column to enter the new email address. For more
information see Updating user email addresses.
The user data
In the lines of the file below the header row, add the user information with commas used as the delimiter
(separator) between each value.
If you are using Microsoft® Excel® to create your file, you can enter the header values (FirstName, LastName,
UserEmail, etc.) in different columns on the first line, enter the user information on subsequent lines, and save the
file as a CSV file. You do not need to add commas; Excel will automatically do this when you save the file.
Example Update Users – Excel:
Updating user email addresses
DocuSign Administrators and Users Administrators with a claimed domain can update email addresses for users
on their domain.
You can update email addresses for your users if the following conditions are met:
• The organization has claimed the domain – for more information, see Setting Up SSO: Domains.
113
• The user’s email address is on the domain – i.e. if your domain is www.example.com, the user’s email would be
[email protected]
• If the organization has more than one claimed domain, you can also update the domain of the user to match
another claimed domain.
Note: You cannot change an email address for a user on a domain you have not claimed.
To change a user’s email address, download and populate the sample CSV provided. The UserEmail column will
remain unchanged and should contain the current user’s email address.
In the UpdateUserEmail column, enter the new email address you’d like to use. After completing the import, the
user’s email address is updated.
Display language values
The Language value is the default language for the user. The value can be any of the codes shown below:
Language = Code
• Chinese Simplified = zh_CN
• Chinese Traditional = zh_TW
• Dutch = nl
• English = en
• French = fr
• German = de
• Italian = it
• Japanese = ja
• Korean = ko
• Portuguese = pt
• Portuguese Brazil = pt_BR
• Russian = ru
• Spanish = es
Bulk Close Users
Note: This guide is for DocuSign administrators who oversee multiple accounts. This feature is not currently
available for eSignature administrators. To close users on an individual account, see Manage Users.
DocuSign Administrators and Users Administrators can bulk close existing users across one or more accounts by
uploading a comma-separated value (CSV) file. For more information on the CSV format, see Building a CSV to
bulk close users.
If users created free or freemium accounts using a corporate email addresses, a DocuSign administrator may want
to close these accounts. You can also bulk close these external domain accounts as long as they are not linked to
an organization.
Note: To learn more about managing domain users and other best practices, see Establish Control of your
Company’s DocuSign Agreements.
114
You can close up to 2,000 users on an account across up to 50 accounts per imported CSV. The maximum
number of closed users per import is 8,000.
CONTENTS
To close organization users in bulk
To close external domain users in bulk
Building a CSV to bulk close users
To close organization users in bulk
1. From the DocuSign Admin dashboard, click the Users tile.
2. Click the BULK ACTIONS menu and select Close Users.
3. In the Close Users dialogue, select Close existing users.
Note: Users closed in this manner will also automatically be removed from any signing groups. If you’d like
to leave these users in signing groups, Uncheck Remove users from signing groups.
4. Select the CSV file to import. Make sure the formatting matches the sample CSV provided. For more details,
see Building a CSV to bulk close users.
Note: Click EXPORT USERS, select the user list type, then click EXPORT to export a CSV list of all users
in your organization. You can use this list as a template to build your import. For more information on the
various user list types, see User List Exports.
5. Click SUBMIT.
115
6. View the status of your import in the Recent Bulk Actions section on the Users page. Click the refresh icon to
update the import status. When the import is complete, click VIEW.
To close external domain users in bulk
1. From the DocuSign Admin dashboard, click the Users tile.
2. Click the BULK ACTIONS menu and select Close Users.
3. In the Close Users dialogue, select Close external domain users.
4. Select the CSV file to import. Make sure the formatting matches the sample CSV provided. For more details,
see Building a CSV to bulk close users.
Note: Click EXPORT USERS, select the user list type, then click EXPORT to export a CSV list of all users
in your organization. You can use this list as a template to build your import. For more information on the
various user list types, see User List Exports.
5. Click SUBMIT.
116
6. View the status of your import in the Recent Bulk Actions section on the Users page. Click the refresh icon to
update the import status. When the import is complete, click VIEW.
Building a CSV to bulk close users
Your CSV file is made up of a header row with the column headers and a row of account and user data for each
user you want to close.
Tip: Start by exporting a user list from your organization. The user data in this list can be used to populate
your bulk close CSV file.
• For organization users, use the ‘Users and Memberships’ or ‘Domain Users’ export type.
• For external domain users, use the ‘External Domain Users’ export type.
To ensure your CSV is properly formatted, use the Sample Bulk Close CSV file as a template.
The header row for close users
The first line of the file is the header row which defines each of the columns. The AccountID column must be the
first column in the file.
*Required columns: Your CSV file must contain these columns: AccountID, APIUserName, and UserEmail. No
other columns are necessary.
The acceptable column header values for a Close Users CSV file are:
Header Row Value* Description
AccountID The 32 character API Account ID of the user’s account
in your organization. Required column.
APIUserName The unique user ID. Required column.
UserEmail The user’s complete email address. Required column
The user data
In the lines of the file below the header row, add the user information with commas used as the delimiter
(separator) between each value.
If you are using Microsoft® Excel® to create your file, you can enter the header values (AccountID, APIUserName,
UserEmail) in different columns on the first line, enter the user information on subsequent lines, and save the file
as a CSV file. You do not need to add commas; Excel will automatically do this when you save the file.
117
User List Exports
Note: This guide is for DocuSign administrators who oversee multiple accounts. For administrators of
individual accounts, see the DocuSign eSignature Admin guide Add and Update Users in Bulk.
DocuSign Administrators and Users Administrators can export a list of users across all accounts in the
organization as a comma-separated value (CSV) file. Exports include user details such as full name, email
address, and permission profile.
Export types:
• Users and Memberships: All users and their memberships across all accounts in the organization.
• Domain Users: All domain users, their profile details, default account, and login policy.
• External Domain Users: All domain users memberships in accounts external to the organization.
Note: Organizations without a claimed domain will see only the Users and Memberships export option.
To export a list of users
1. From the DocuSign Admin dashboard, click the Users tile.
2. Click the BULK ACTIONS menu and select Export Users.
3. Select the export type and click EXPORT.
Export types:
• Users and Memberships: All users and their memberships across all accounts in the organization.
• Domain Users: All domain users, their profile details, default account, and login policy.
• External Domain Users: All domain users memberships in accounts external to the organization.
Note: Organizations without a claimed domain will see only the Users and Memberships export option.
118
4. View the status of your export in the Recent Bulk Actions section on the Users page. Click the refresh icon to
update the import status. When the export is complete, click VIEW.
5. Click DOWNLOAD to download the export CSV file.
Data Feeds
Note: This guide is for DocuSign administrators who oversee multiple accounts. For administrators of
individual accounts, see the DocuSign eSignature User guide Using Reports.
Once configured by your development team, your organization can retrieve data from all of your accounts. This
data can be stored in your data warehouse and used as needed.
Note: Setting up a data feed requires additional steps with your account manager and your development team.
For more information, contact your account manager.
To add an integration key
The data feed requires an integration key from an account within the organization.
1. Generate and copy an integration key from the API and Keys page on an account within the organization.
Note: You must be an administrator on an account within your organization to generate an integration key.
For more information, review API and Keys in the DocuSign eSignature Admin Guide.
119
2. Click SWITCH TO… and select DOCUSIGN ADMIN to return to DocuSign Admin.
3. From the DocuSign Admin dashboard, click the Data Feeds tile.
4. Paste the integration key into the text field and click ADD.
To enable or disable the data feed
1. From the DocuSign Admin dashboard, click the Data Feeds tile.
2. Click the Data Feed Job toggle to begin processing.
The data feed begins processing when an integration key is present and the feed has been configured.
Data feed processing schedule
Once configured, your data feed begins to process. Extra time is needed to collect data for the first time.
Subsequent changes to the feed are available within 24 hours.
120
Therefore, the first data feed process follows a special schedule, as follows:
Feed is Enabled On Data is Available On
Sunday through Wednesday Next Monday (5 days after Wednesday)
Thursday through Saturday Second Monday (9 days after Saturday)
For example:
Envelope Transfer
Note: This guide is for DocuSign administrators who oversee multiple accounts. For administrators of
individual accounts, see Transfer Envelopes and Templates.
As a DocuSign Administrator, you can transfer envelopes between users on any organization accounts that are on
the same DocuSign environment site. With envelope transfer, if you have employees who move between
organization accounts, you can transfer some or all of their envelopes to go with them. Or you can transfer
ownership of envelopes to a new user on any other organization account that is on the same site. You can transfer
up to 2,000 eligible envelopes at one time.
CONTENTS
Envelope transfer overview
Transfer a selection of envelopes using Transfer Now
Download envelope IDs to transfer using CSV
Transfer envelopes using a CSV
View envelope transfer logs
Related topics
Envelope Transfer Overview
From the Envelope Transfer tile, you can initiate transfers and view transfer logs.
121
When you transfer ownership of envelopes, the transferred items are removed from the original owner’s account
and moved to the new owner’s account. You must have All Administration Capabilities on the account you want to
transfer envelopes from. You can transfer to any user’s account that is part of your organization and that is on the
same environment site as the originating account (e.g., NA1, NA2, NA3, EU).
Note: Access to the envelope transfer feature must be enabled on your organization by DocuSign. If you do
not see the Envelope Transfer tile on your DocuSign Admin dashboard, contact your account manager or
Customer Support for more information.
What can you transfer?
You can transfer envelopes belonging to a user in an organization account for which you have All Administration
Capabilities. The envelopes can be in any status except Draft. Draft envelopes cannot be transferred.
Note: You can transfer up to 2,000 eligible envelopes at a time. You cannot transfer envelopes across sites
(e.g. NA1 >NA2).
Who owns envelopes?
Users own the envelopes that they send. Ownership can be transferred by an administrator to another user.
Received envelopes are owned by the sender and cannot be transferred to a different recipient.
Who can you transfer envelopes to?
You can transfer an envelope to any user on any account that is:
• Linked to your organization
• On the same DocuSign site environment as the originating account (e.g., NA1 -> NA1)
What happens when you transfer an envelope?
Transferring an envelope is a complete transfer of ownership. The envelope history retains all of the actions by the
original sender, and includes a “Transfer envelope ownership” action indicating the new owner and account
membership for the envelope.
122
Transfer options: Transfer Now and Transfer Using CSV
You can filter, search, and select one or more envelopes to transfer with the Transfer Now function. Or you can
prepare and upload a CSV with a list of envelope IDs to Transfer Using CSV.
Transfer a selection of envelopes using Transfer Now
Select one or more envelopes to transfer manually from one user’s account to any other user account within your
organization. You must have All Administration Capabilities permissions on the account you are transferring from.
1. From the DocuSign Admin dashboard, click Envelope Transfer.
2. The Envelope Transfer view lists the linked accounts for which you have All Administration Capabilities
permissions.
If you do not see an account, it either needs to be linked to your organization, or you do not have the
necessary permissions to initiate a transfer.
123
3. Locate the account you want to transfer from and click the Actions menu and select Transfer Envelopes.
4. Select the items you want to transfer by selecting the check box on the corresponding rows. Use the FILTERS
settings to change the list of items shown.
5. Click TRANSFER NOW.
124
6. In the Transfer Now dialog, select the target account you want to transfer the envelopes to. All linked accounts
in the organization that are on the same site as the originating account are listed.
7. Click TRANSFER.
8. Select the user in the target account you want to transfer the envelopes to and click TRANSFER.
9. Confirm the transfer action.
The job is placed in a queue for processing and listed in the Envelope Transfer Logs. This log shows a list of
transfers for your organization. At the top of the list is the new transfer.
10. When the transfer is complete, the transferred envelopes are available in the new owner’s account.
• Click the refresh icon in the Actions column to update the status of the transfer.
• Once the transfer completes, click the Actions menu and select Details to review the transfer information or
download a copy of the CSV file with the transfer information.
125
Download envelope IDs to transfer using CSV
You can transfer envelopes in bulk to a single new owner by using a comma-separated value (CSV) file containing
the envelope IDs to be transferred. The CSV file must contain a column with each envelope ID entered on a
different row. The envelopes in the file must all exist in the same account but can belong to different users.
A common workflow for bulk transfer is:
• Use the Envelope Transfer page to filter for the envelopes you want to transfer.
• Download the list of envelopes using the Download CSV option.
• Review the download file and remove any unwanted data and remove all columns except for EnvelopeId.
• Use the Transfer Using CSV option to transfer the envelopes in bulk to the new owner.
To download a CSV file of envelope information
1. From the Envelope Transfer page in DocuSign Admin, locate the account you want to transfer from and click
the Actions menu and select Transfer Envelopes.
126
2. Select the items you want to transfer by using the FILTERS settings to change the list of items shown.
For example, if you want to transfer ownership of all envelopes sent from one employee to another employee,
select the employee’s name in the Sender filter, and adjust the Date Range as needed.
3. Click DOWNLOAD CSV and select if you want to include recipient information or custom fields.
These details are not used in the transfer process, but you may find them helpful for other purposes. For
instance, you can use the envelope custom fields to help sort envelopes and identify the ones you want to
transfer.
4. Click DOWNLOAD.
The CSV is saved to your Downloads folder. Once you review it and make any changes to the list of envelope
IDs, you can use the CSV to transfer the envelopes to another user.
Transfer envelopes using a CSV
You can transfer envelopes in bulk using a prepared CSV with the envelope IDs to be transferred. All envelopes
must be in the same organization account, and you can transfer them all to a single user in any organization
account on the same site. You must have All Administration Capabilities permission on the originating account.
Typically, you would download a list of envelope IDs to transfer as described in Download envelope IDs to transfer
using CSV.
127
To transfer envelopes using a CSV
1. From the Envelope Transfer page in DocuSign Admin, locate the account you want to transfer from and click
the Actions menu and select Transfer Envelopes.
2. Click TRANSFER USING CSV to initiate the transfer.
128
3. In the Transfer dialog:
a) Upload the CSV containing the envelope IDs you want to transfer.
b) Select the target account for the user you want to transfer the envelopes to.
c) Select the user in the target account to transfer to.
d) Click TRANSFER.
4. Confirm the transfer action.
The job is placed in a queue for processing and listed in the Envelope Transfer Logs. This log shows a list of
transfers for your organization. At the top of the list is the new transfer.
View envelope transfer logs
When you execute an envelope transfer, an entry for the job is added to the envelope transfer logs for the account
you transferred envelopes from. You can review these logs for details of the transfer, including an option to
download a CSV containing the envelope IDs and the processing results.
To view a transfer log
1. From the Envelope Transfer list, locate the account where the envelopes were transferred from.
129
2. Click the Actions menu and select Logs.
3. The list of available logs for the selected account are shown. The Status column provides a result summary.
4. For transfers with an incomplete status (Queued), click the refresh icon in the Actions column to update the
transfer status.
130
5. For completed transfers, to see detailed results, click the Actions menu and select Details.
The details dialog provides a summary of the successful transfers, as well as details around any rows with
issues or errors.
6. To download a CSV with a list of all envelope IDs in the transfer job and the processing results for each, click
Download from the transfer details dialog, or click the Actions menu for the transfer job and select Download
CSV.
Related topics
For more information related to envelope transfer, see the following:
• Link accounts: Accounts must be linked to your organization in order to transfer or receive envelopes.
• Establish Control of your Company’s DocuSign Agreements: Gain control of your company’s agreements with
proven best practices and procedural guidelines.
Connected Apps
Manage the applications that can access your DocuSign organization. Connected applications are authorized for
all domain users and access is limited by the permissions you specify.
131
You can authorize any application for which there is an existing integrator key in any account that is linked to your
organization.
In order to authorize an application for your domain users, you must first claim a domain for your DocuSign
organization. To learn more the domain claim process, see Claiming and validating a domain.
Note: For more information on integrator keys, see API and Keys. For more information about using your
integrator key with the DocuSign API, visit the DocuSign Developer Center.
CONTENTS
Authorize an application
Edit an authorized application
Revoke authorization for an application
To authorize an application
Authorize integration applications for your domain users.
1. From the DocuSign Admin dashboard, click Connected Apps.
2. On the Applications page, click Authorize Application.
3. In the Add New Application dialog, select an application from the drop-down list. The list includes all
applications for which there is an existing integrator key in any account that is linked to your organization.
The dialog expands to show information about the selected application.
132
4. Enter the permissions for the application. These permissions define the OAuth scopes the application can
access. Example: “signature”
Note: If adding more than one permission, separate them with a single space. For eSignature applications
that use the OAuth JWT flow, add both the ‘signature’ and ‘impersonation’ permissions.
5. Click Add.
The application is authorized and added to the list of Applications for the organization.
To edit an authorized application
You can edit the Permissions settings for an authorized application.
1. From the DocuSign Admin dashboard, click Applications.
133
2. Click the Actions menu for the application you want to edit, and select Edit.
3. Modify the Permissions settings as needed, and click Save.
To revoke authorization for an application
You can revoke any previously authorized application.
1. From the DocuSign Admin dashboard, click Applications.
2. Click the Actions menu for the application you want to edit, and select Revoke.
The application is removed from your organization and access is revoked for all domain users.
Audit Logs
Note: This guide is for DocuSign administrators who oversee multiple accounts. For administrators of
individual accounts, see the DocuSign eSignature Admin guide Account Audit Logs.
134
Audit logs capture key events for changes to an organization made from within the organization. The Organization
audit log provides an easy way for administrators to see changes to the accounts linked to the organization and
user management actions (such as adding, removing, and editing users), and updates to DocuSign administrators.
CONTENTS
Delegated administrators and audit logs
View audit logs
View audit logs
1. From the DocuSign Admin dashboard, click Audit Logs.
2. The Audit Logs view lists the audit events for the last 24 hours. The DocuSign Administrator permission profile
grants access to all audit events; the Users Administrator permission profile grants access to user management
events only.
3. To view older events, change the date range.
4. To view the details of an event,
a. Click VIEW.
b. Review the information in the Event Details window:
Delegated administrators and audit logs
If your organization assigns delegated permissions, these administrators have limited visibility into the organization
audit logs. Delegated administrators with the Users Administrator permission profile can see only audit log entries
that relate to user management tasks.
DocuSign Administrators (who have full administration capabilities) can see all audit log entries.
Appliance Pools
DocuSign Admin provides centralized management of external appliances. Currently, the DocuSign Security
Appliance is the only appliance supported. Additional appliance types will be supported in future releases.
About the DocuSign Security Appliance
The DocuSign Security Appliance is a software package running remotely from the DocuSign Service that
manages the storage and release of cryptographic keys. The DocuSign Security Appliance offloads the key
storage and release policies from the DocuSign cloud to a customer’s private network. The DocuSign Security
Appliance is a self-managing appliance designed to address the most sensitive scenarios, where the highest level
of security is required.
The DocuSign Security Appliance is installed through a services engagement with DocuSign Professional
Services. Once installed and configured, the DocuSign administrator can manage the security appliances in
DocuSign Admin as described in this guide. DocuSign Professional Services maintains separate documentation
for installing the Security Appliance software.
Note: Access to DocuSign Security Appliance is determined by your account plan and must be enabled by
DocuSign. If you do not see the security appliance management features described in this section, contact
your account manager or Customer Support for more information.
Back to top
Add a security appliance pool
After installing the DocuSign Security Appliance in your company’s network, you set up a security appliance pool
in DocuSign Admin. By adding security appliances to the pool, any organization account can use the appliances.
All appliances in a pool must have the same checksums, HSM, and key count.
To complete the configuration, you assign organization accounts to the pool. Once configured, you cannot delete
a pool with any assigned accounts. Once an account is assigned and envelopes are sent, the pool is required to
be able to view those sent envelopes.
To add a security appliance pool
1. From the DocuSign Admin dashboard, click Appliance Pools.
2. Click the Security option.
137
3. In the Appliance Pools list, click ADD APPLIANCE POOL.
138
4. Fill in the fields of the Add Security Appliance Pool form.
• Key Cache Timeout. If 0, use a thread cache (cached for each API call). If non-zero, use a global memory
cache (cached for an entire signing session if the value is high enough). Recommended value = 180
seconds
• Request Timeout. Recommended value = 10 seconds
• New Key Per Envelope. If selected, each key is used only once, ensuring that every envelope sent gets a
unique key.
• Derived Keys. If selected, envelopes sent that use a Security Appliance with an HSM, get a unique key
derived from a secret key that never leaves the HSM. This option overrides the New Key Per Envelope
setting.
If you enable this setting, after adding appliances to the pool, you must edit the pool to select the HSM key
to use. See also To configure HSM and derived keys.
139
5. Click SAVE to save the new appliance pool.
Back to top
Add appliances to a pool
By adding security appliances to a pool, any organization account added to the pool can use the appliances
within. All appliances in a pool must have the same configuration, including matching checksums, HSM, and key
count.
1. In the list of appliance pools, click the Actions menu and select Manage Appliances.
140
2. On the Manage Appliances view, click ADD SECURITY APPLIANCE.
141
3. Complete the details for the new appliance.
• Status: Set the status for the appliance as either Primary, Secondary, or Disabled.
◦ Primary – All Primary appliances are tried and only if they all fail are Secondary appliances tried.
◦ Secondary – Only connect if all primaries fail. This is useful if you have a hot-standby that should take
traffic only in an emergency.
◦ Disabled – The appliance is never contacted.
• Protocol Version: This setting must match the version of the Security Appliance. To determine the protocol
version, look in the file:
Note: %KM_DIR%\Service\bin\DocuSign.KeyManager.Service.Shell.exe.config
Where KM_DIR is the location where you installed the Security Appliance, which defaults to C:\Program
Files (x86)\DocuSign\KeyManager. Look for the value of Protocol Version.
Protocol Version options:
◦ Encrypted Payloads – Key request and response payloads are encrypted (Protocol Version = 0)
◦ Encrypted Payloads & Signed Responses – Key request payloads are encrypted and key response
payloads are both encrypted and signed (1)
◦ Encrypted & Signed Payloads – The key request and response are both encrypted and signed. (2)
• Public Key: To obtain the public key, log into the Security Appliance Admin Web UI. Copy the key and paste
it into the field provided.
• Certificate Thumbprint: To obtain the certificate thumbprint, log into the Security Appliance Admin Web UI.
Copy the certificate information and paste it into the field provided.
142
4. To confirm your appliance is correctly configured, click TEST CONNECTION.
5. If the test is successful, click SAVE to save the security appliance.
Once successfully configured, all accounts assigned to the pool can now access the new appliance. The
appliance status (primary, secondary, or disabled) determines whether it is used to manage security keys for
the accounts’ envelopes.
Back to top
143
To configure HSM and derived keys
To configure your appliance pool to use derived keys, you must use an HSM with your security appliance.
1. Create a pool and leave the Use Derived Keys option unchecked.
2. Add an appliance that has an HSM configured.
Note: It will say ‘No HSM configured.’
3. https://support.docusign.com/en/guides/org-admin-guide-appliance-pools and select the Use Derived Keys
option.
4. Select a key from drop down list.
5. Click SAVE.
Back to top
Assign accounts to an appliance pool
You can assign linked organization accounts to an appliance pool. Once added to an appliance pool, all account
envelopes are secured by the security appliances in the pool. Accounts can be assigned to only one pool per
type. You cannot remove accounts from a pool, so make sure you are making the proper assignments when
adding accounts to a pool. If changes are required, you will need to engage DocuSign professional services.
When you link new accounts to your organization, you will need to add them to a security appliance pool in order
to apply your external key management policies to the envelopes generated by the new accounts.
1. In the list of appliance pools, click the Actions list and select Manage Accounts.
2. From the Manage view, accounts already assigned to the pool are listed. Click LINK ACCOUNTS to select additional accounts to assign.
3. In the Link Accounts list, select the accounts you want to grant access to the security pool.
The accounts for which you are an account administrator and that are linked to the Organization are listed.
4. Click LINK to add an account to the security pool.
5. When you are finished linking accounts, click CLOSE.
The selected accounts are added to the security pool and granted access to all appliances in the pool.
Back to top
Edit a pool
1. In the list of appliance pools, click the Actions list and select Edit Pool Settings.
2. In the Appliance Pool Settings, adjust the settings as needed.
3. Click SAVE to save your changes to the pool.
Back to top
Run a health check on all security appliances in a pool
Any time you add or edit a security appliance, you must successfully test your changes in order to save them. In
addition to this check on individual appliances, you can run a health check on all security appliances in an appliance pool. The health check tests and confirms the connection details for each appliance in the pool. Pass/
Fail results of the check are listed on the security appliances list under the Health Check column.
1. In the list of appliance pools, click the Actions menu and select Manage Appliances.
2. In the Manage Security Pool Appliances, click HEALTH CHECK ALL.
3. The health check runs and evaluates all of the security appliances in the pool. Results are registered in the
