The SBE checks that the user in the SumbitOrderRequest header belongs to the role defined in "SBEMasterController.config" file under "OHSBERole" config value.
This means that usually user must be into YOURDOMAIN\Requestors@CSF_SBE group.
One typical configuration mystake is to have in SBEMasterController.config file following content:
<ConfigValue key="OHSBERole" value="<FONT color=#ff0000>CSF</FONT>\Requestors@CSF_SBE"/>
Obviously change "CSF" with your domain name and try again :)