There is only one Reader Extensions Role ....called Reader Extensions Web Application User. This gives the user the right to log into the web application that applies the rights to the PDF. If you are using that application that is all you need to do.
The url to the app is:
Are you applying rights through a different means?
I was only following what was in the documentation http://blogs.adobe.com/livecycle/2008/10/configuring_authorization_for.html
I do not intend to use the web page tool for applying reader extensions. I plan to create a watch folder, but I also want the option of using SOAP.
What does the user require to be authorized to invoke the Reader Extensions service (i.e. what permissions are required for the user's role)?
OK ...they are referring to the security to allow your orchestration to be run. This is controlled in the adminui. If you log into http://servername:portNumber/adminui as your administrator account. Then click on Services/Applications and Services/Service Management. This will give you a list of all running services in your system. Do a serach for your specific service and once you find it click on the link. This will give you information specific to that service. Click on the Security tab and this is where you can remove security and also enter a user for impersanation (your service will call other services so rather than turning security off everywhere you can impersonate another user). Set this to the system account.
Now you should be good to go.