# Connecting to Docusign Monitor
Docusign Monitor helps organizations protect their agreements with round-the-clock activity tracking. The Monitor API delivers this activity tracking information directly to existing security stacks or data visualization tools—enabling teams to detect unauthorized activity, investigate incidents, and quickly respond to verified threats. It also provides the flexibility, security teams need to customize dashboards and alerts to meet specific business needs.
**Topics**
+ [AWS Glue support for Docusign Monitor](docusign-monitor-support.md)
+ [Policies containing the API operations for creating and using connections](docusign-monitor-configuring-iam-permissions.md)
+ [Configuring Docusign Monitor](docusign-monitor-configuring.md)
+ [Configuring Docusign Monitor connections](docusign-monitor-configuring-connections.md)
+ [Reading from Docusign Monitor entities](docusign-monitor-reading-from-entities.md)
+ [Docusign Monitor connection options](docusign-monitor-connection-options.md)
+ [Docusign Monitor limitations](docusign-monitor-connection-limitations.md)
# AWS Glue support for Docusign Monitor
AWS Glue supports Docusign Monitor as follows:
**Supported as a source?**
Yes. You can use AWS Glue ETL jobs to query data from Docusign Monitor.
**Supported as a target?**
No.
**Supported Docusign Monitor API versions**
The following Docusign Monitor API versions are supported:
+ v2.0
# Policies containing the API operations for creating and using connections
The following sample policy describes the required AWS IAM permissions for creating and using connections. If you are creating a new role, create a policy that contains the following:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:ListConnectionTypes",
"glue:DescribeConnectionType",
"glue:RefreshOAuth2Tokens",
"glue:ListEntities",
"glue:DescribeEntity"
],
"Resource": "*"
}
]
}
```
------
If you don't want to use the above method, alternatively use the following managed IAM policies:
+ [AWSGlueServiceRole](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole) – Grants access to resources that various AWS Glue processes require to run on your behalf. These resources include AWS Glue, Amazon S3, IAM, CloudWatch Logs, and Amazon EC2. If you follow the naming convention for resources specified in this policy, AWS Glue processes have the required permissions. This policy is typically attached to roles specified when defining crawlers, jobs, and development endpoints.
+ [AWSGlueConsoleFullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess) – Grants full access to AWS Glue resources when an identity that the policy is attached to uses the AWS Management Console. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the AWS Glue console.
# Configuring Docusign Monitor
Before you can use AWS Glue to transfer data from Docusign Monitor to supported destinations, you must meet these requirements:
## Minimum requirements
The following are minimum requirements:
+ You have an Docusign account where you use the Docusign Software product in Docusign Monitor.
+ In the developer console for your Docusign account, you've created an OAuth 2.0 integration app for AWS Glue.
This app provides the client credentials that AWS Glue uses to access your data securely when it makes authenticated calls to your account. For more information, see [OAuth 2.0](https://developers.docusign.com/platform/webhooks/connect/validation-and-security/oauth-connect/) in the Docusign Monitor documentation.
If you meet these requirements, you’re ready to connect AWS Glue to your Docusign Monitor account.
# Configuring Docusign Monitor connections
Docusign Monitor supports the AUTHORIZATION\$1CODE grant type.
+ This grant type is considered three-legged OAuth as it relies on redirecting users to the third-party authorization server to authenticate the user. It is used when creating connections via the AWS Glue console.
+ Users may opt to create their own connected app in Docusign Monitor and provide their own client ID and client secret when creating connections through the AWS Glue console. In this scenario, they will still be redirected to Docusign Monitor to login and authorize AWS Glue to access their resources.
+ This grant type results in a refresh token and an access token. The access token is short lived, and may be refreshed automatically without user interaction using the refresh token.
+ For public Docusign Monitor documentation on creating a connected app for the Authorization Code OAuth flow, see [OAuth for Docusign Connect](https://developers.docusign.com/platform/webhooks/connect/validation-and-security/oauth-connect/).
To configure a Docusign Monitor connection:
1. In AWS Secrets Manager, create a secret with the following details:
1. For the customer managed connected app, the Secret should contain the connected app API key with `USER_MANAGED_CLIENT_APPLICATION_CLIENT_SECRET` as key.
1. Note: you must create a secret for your connections in AWS Glue.
1. In AWS Glue Glue Studio, create a connection under **Data Connections** by following the steps below:
1. Under **Connections**, choose **Create connection**.
1. When selecting a **Data Source**, select Docusign Monitor.
1. Select the AWS IAM role which AWS Glue can assume and has permissions for following actions:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": "*"
}
]
}
```
------
1. Provide the **User Managed Client Application ClientId** of the Docusign Monitor app.
1. Select the `secretName` which you want to use for this connection in AWS Glue to put the tokens.
1. Select the network options if you want to use your network.
1. Grant the IAM role associated with your AWS Glue job permission to read `secretName`.
# Reading from Docusign Monitor entities
**Prerequisite**
A Docusign Monitor object you would like to read from.
**Supported entities for source**:
| Entity | Can be filtered | Supports limit | Supports Order by | Supports Select \$1 | Supports partitioning |
| --- | --- | --- | --- | --- | --- |
| Monitoring Data | Yes | Yes | No | Yes | No |
**Example**:
```
docusignmonitor_read = glueContext.create_dynamic_frame.from_options(
connection_type="docusign_monitor",
connection_options={
"connectionName": "connectionName",
"ENTITY_NAME": "monitoring-data",
"API_VERSION": "v2.0"
}
```
## Docusign Monitor entity and field details
Entities with static metadata:
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/glue/latest/dg/docusign-monitor-reading-from-entities.html)
**Partitioning queries**
Docusign Monitor doesn’t support either field-based or record-based partitioning.
# Docusign Monitor connection options
The following are connection options for Docusign Monitor:
+ `ENTITY_NAME`(String) - (Required) Used for Read. The name of your object in Docusign Monitor.
+ `API_VERSION`(String) - (Required) Used for Read. Docusign Monitor Rest API version you want to use.
+ `SELECTED_FIELDS`(List) - Default: empty(SELECT \$1). Used for Read. Columns you want to select for the object.
+ `QUERY`(String) - Default: empty. Used for Read. Full Spark SQL query.
+ `FILTER_PREDICATE`(String) - Default: empty. Used for Read. It should be in the Spark SQL format.
# Docusign Monitor limitations
The following are limitations or notes for Docusign Monitor:
+ When a filter is applied using the `cursor` field, the API retrieves records for the next seven days starting from the specified date.
+ If no filter is provided, the API retrieves records for the previous seven days from the current date of the API request.
+ Docusign Monitor does not support either field-based or record-based partitioning.
+ Docusign Monitor does not support the Order By feature.