NetSuite Access Management:
Monitor, manage and lock down roles and permissions
Strongpoint is a NetSuite-native app that automates and tracks some of the most labor-intensive parts of access management.
Read on to learn what it can do, or get in touch to book a demo.
Role and Permission Cleanup
When it comes to access management, getting rid of technical debt makes everything that follows easier. Cleaning up and streamlining roles and permissions makes it easier to see who can do what in the system. From there, you can take steps to build out a better security posture or prep for a segregation of duties project.
It's possible to do this using system notes and saved searches, but it's time-consuming, and it isn't foolproof, either. Strongpoint simplifies the process with out-of-the-box reports to both target 'low-hanging fruit' such as unused roles, and drill down on access at the permission level.
Watch the video for a quick overview, or check out a webinar for a closer look at Strongpoint's tools.
The Cleanup Cadence
There are many ways to approach a role and permission cleanup project. Strongpoint gives you tools to take a systematic, step-by-step approach. Our recommended cleanup cadence is as follows:
Identify employees using standard roles
Identify employees with multiple role assignments
Review and clean up global permissions
Identify and inactivate unassigned roles
Identify assigned roles that haven't been used in > six months
Review permission usage by role
For audit and security purposes, it's not enough to clean up unused roles and permissions. You need a formal system for conducting regular reviews and approving changes — whether they're necessary changes or temporary ones.
Strongpoint's access review feature automates the most time-consuming parts of access review, letting you assign owners and schedule period reviews of membership as well as permissions included in roles. Best of all, it tracks everything in an audit-ready log, so you can prove to internal or external auditors that the appropriate processes were followed.
Visit our Access Review page to see a full demo.
Segregation of Duties Rules Library
SoD projects are difficult and time-consuming. Strongpoint's SoD module saves you months of work and plenty of headaches. It all starts with our rules library — a collection of best practices we've built based on years of working with auditors, accountants and systems departments.
Use pre-built rules or configure them to your requirements to get a detailed report on current and future conflicts. Then, you can leverage our advanced capabilities to analyze actual usage of roles to effectively resolve conflicts. You'll know instantly if a conflict can be resolved, requires more detailed management review or compensating controls
Visit our SoD page for more information.
Typical SoD Issues
Procure to Pay
Procure to pay functions can often create significant SoD risk. Vendor Master and Purchase order permissions can be difficult to manage.
Administrator and power users should not be given out without prior approval and their transactional activity should be tracked.
Assignment of Access
Assignment of access should be monitored closely with approvals documented. Automated assignment, removal, and temporary access should also be enforced.
Many out of the box accounting roles will also include high permission levels. These general roles should be looked at closely to enforce least privelege.
Strongpoint gives you multiple ways to manage SoD conflicts. some can be eliminated by a role and permissions cleanup. Some are 'phantom conflicts' caused by scripts or workflows executing as Admin. Some will require review by an internal authority. And some are so high-risk that they should be blocked outright without prior approval.
Strongpoint lets you create blocking controls for Admin access and other role assignments that can create SoD conflicts. In this video demo, we can see that Strongpoint has blocked a role assignment because it wasn't tied to an existing change request.
Learn more about role blocking in our Building Smarter Controls webinar.
Even with the tightest controls in place, there will be times when conflicts are necessary. The typical NetSuite customer has to flexible — employees often have to wear multiple hats as the business evolves.
So how do you enable that flexibility while still keeping security and compliance top of mind? Agent Controls.
Strongpoint Agent monitors transactional behavior by Admins and similar conflicts, and gives you a system for tracking and reporting on exception reviews and approvals. It's all airtight, audit-ready and, most of all, easy to use, saving you countless hours of reviewing system notes.
Managing False Positives
The secret about financial exceptions is that many of the conflicts that show up in system notes aren't real conflicts at all. Often, in NetSuite, scripts and workflows will execute using the Admin role — it's a common workaround when developing new customizations — making a simple automation look like transactional activity.
Strongpoint is the only system that allows you to identify false positives, making it easy to avoid hours of work and prove to auditors that you're focusing your efforts on actual violations.
In this demo you'll see how our exclusive 'cross-match' feature does just that.
Crash Course: User Roles and Permissions
Need a refresher on NetSuite's access controls? Get our free ebook for an overview of how roles, permissions and access work — and how to optimize your account for security and flexibility.
NetSuite Access — An Overview in One Minute (and Five Seconds)
Access controls in NetSuite are complicated in theory. And for many companies, they're even more complicated in practice — more complicated than they need to be. Implementing the Principle of Least Privilege is a recognized best practice for NetSuite access management. So why is it so hard to ensure that every user only has the permissions they need to do their job, and nothing more?
In our experience, four reasons:
When roles and permissions build up, it's hard to get visibility into who can do and see what
Most organizations don't have formal policies for on/offboarding and regular access review
Planning for staff turnover/absence requires flexibility — without sacrificing security
SOX requirements may mandate access reviews on a yearly, quarterly, monthly or even weekly basis
So on one hand, you have the ideal world where the Principle of Least Privilege is in place and access reviews are taking place regularly. And on the other, you have the real world, where complexity and uncertainty meet informal planning and increasingly strict requirements from your auditors.
What can a business running NetSuite do to bridge this gap?
Book a Free Access Assessment
How secure is your financial data? Can you track changes to roles and permissions? Do you have appropriate onboarding/offboarding processes in place?
Most importantly, have you automated the difficult, time-consuming work of answering these questions? If not, there's a good change Strongpoint can help.
Get in touch today for a free NetSuite user access assessment from our experts.