1 votes


The OneSpan Role Permission under the Transaction category 'transaction.access_other_users_transactions' (Manage users’ transactions, templates, layouts (API)) is required to clone templates via the SDK or rest API.

  • Is there a reason this new permission was added?

    • Is there a way to add this permission to the existing [predefined] role permission sets?

As an account owner I may not add any new roles to my account nor can I add any new permissions to my existing role.

As such, the account Owner role can no longer use templates:

      "id": "owner",
      "description": "esl.account.account_role.default_role.owner.description",
      "name": "",
      "predefined": true,
      "enabled": true

'Forbidden. HTTP POST on URI'

    "messageKey": "error.forbidden.noPermission",
    "message": "The required permission was not found.",
    "code": 403,
    "name": "Access Denied"

Further, Managers and Senders are unable to create a package from a template via the SDK calling

OssClientAdapter.CreatePackageFromTemplate(templatePackage.Id, package)

However, by creating a new role and granting access to the Admin role permission set and the new Transaction category permission of 'transaction.access_other_users_transactions' I can use sub-accounts to send templates.

While this is a workaround, it has removed functionality that I would've expected to remain in tact.


Kevin C

Approved Answer

Reply to: error.forbidden.noPermission

1 votes

Hi Kevin,


Let's say you are creating a package from a template for a sender, before this permission was introduced, you will have to:

(1)Obtain the sender's API Key for this subaccount (every sender has their respective API Keys for each subaccount)

(2)Authenticate the SDK client with this particular API Key, and invoke the .CreatePackageFromTemplate() function

Given this background, this new permission has been introduced to reduce the complexity where you had to retrieve sender's API Key first. With the latest fashion, as long as the API Key holder has both "API Access" and this new permission, you can easily achieve the goal with this .NET SDK code:

            OssClient client = new OssClient(apiKey, apiUrl);   //Admin's API Key/Token

            DocumentPackage documentPackage = PackageBuilder
                .NewPackageNamed("Example Transaction")

                .WithSenderInfo(SenderInfoBuilder.NewSenderInfo("sender's email"))

            PackageId templateId = client.CreatePackageFromTemplate(new PackageId("nOddEwofq5E_W9AOEJtJ5d1xt4U="), documentPackage);


In terms of the Account Role management:
(1)Two permissions should be sufficient for this new role - "API Access" and "Manage users’ transactions, templates, layouts (API)"

(2)You can grant multiple roles to a sender, for example:
-"Admin" role (19 permissions)

-The customized role (2 permissions)

In which case the user will own total of 20 permissions (API Access is duplicated)

(3)I do agree that "Admin" role should automatically be added this new permission since its description is "Full access to the entire application and its configuration". If you happen to have a support ticket open, or I can help you create one, we can ask for a clarification if it's by designed.




Duo Liang OneSpan Evangelism and Partner Integrations Developer

Reply to: error.forbidden.noPermission

1 votes

Hello Duo,

Regarding your points 1 and 2, that makes a lot of sense.

In testing as a subaccount, I can use a template as a Manager with "API Access" and "Manage users’ transactions, templates, layouts (API)"


In testing as the account owner, I am unable to clone a template with (visibility: ACCOUNT) that belongs to the account owner.

As such, I've opened a support request based on your third point to have the predefined Admin permissions updated to reflect the description.




01/04/2022 update: Account Owner usage of shared, personally owned templates is restored.

I have a case to look into the option to update the predefined roles.

For now, we have a workaround to get an account owner updated.

Following the above suggestion by Duo Liang, sign in as the account owner or another admin, and create a new role containing "API Access" and "Manage users’ transactions, templates, layouts (API)".

Grant the following roles to a subaccount [you have access to]

  1. the predefined Admin [Id: Owner] role
  2. the newly created role containing "API Access" and "Manage users’ transactions, templates, layouts (API)"

Signed in as the subaccount, go to

  • Add newly created role containing "API Access" and "Manage users’ transactions, templates, layouts (API)" to the account owner

Thanks for the help!

Hello! Looks like you're enjoying the discussion, but haven't signed up for an account.

When you create an account, we remember exactly what you've read, so you always come right back where you left off