NetSuite Roles and Permissions:
A guide to management, cleanup and compliance
A clear and confident understanding of user roles is vital to successfully managing NetSuite. Whether you are implementing a new account, cleaning up an old one or setting up segregation of duties for SOX compliance, you need to have a firm grasp of a few fundamentals.
The information on this page has been adapted from our Crash Course: NetSuite User Roles and Permissions ebook. To get your free copy, click here:
Understanding User Roles
NetSuite has a role-based access control system. This means that each user needs a role assigned to them in order to get access, and that role governs what they can see and do in the system.
There are 636 distinct permissions governing 4923 separate tasks, searches and records. In addition, each role can have a preferred or required list view or form for every record and transaction type. And on top of that are all of the contextual settings that govern what data a user sees from different segments and subsidiaries. Depending on the nature of your account, that could be hundreds of thousands of potential combinations.
However, the reality is rarely that complex. In simple terms, roles are made of three things:
Understanding User Permissions
Each user role (except Administrator) needs at least one permission. Essentially, a permission is a bundle of rights that govern what a user can and can't do in the system.
Most permissions also have a range of permission levels, from View to Full. They are:
- 🔍View: The user can see the data but cannot change it
- 📋Create: The user can ALSO create a record or transaction, but cannot edit it
- 📝Edit: The user can ALSO change a record or transaction after it was created
- 🌎Full: The user can ALSO DELETE a record or transaction
Be very, very careful about granting Full permission levels to almost anyone, for almost anything. Almost no operational roles should have any transactional permission set at Full.
three faqs about user permissions
Administrators have all permissions AND the ability to grant access to anyone AND the ability to delete your entire account. So you should be very careful about who you give Admin access to!
One key thing that needs to be remembered is that almost all the capabilities included in the Administrator role are available as separate permissions. The best way to think about a permission is as a shortcut that enables Administrators to give a role a group of capabilities in one step.
Many permissions are described in relation to a task. This relationship is one of the main sources of confusion around permissions. So what is a task?
A task is basically a path to doing something in NetSuite. It is always represented by one or more interface elements. These elements may be something in the navigation or in a record or transaction interface.
For example, the Sales Order Approval permission turns on and off the Sales Order Approval task. Without this permission, a user cannot approve a sales order.
The “View” permission level controls the navigation and, in some cases, the ability to add a reminder to a dashboard. The other levels control the ability to create, change or delete data in records, transactions or settings, which in turn may change the functionality of an interface by adding a button or enabling an approval status.
This is true not just of data and transactions, but also of all of the configuration permissions noted above. Additionally, it doesn’t really matter whether the capability is called a task or a record — the functional relationship to the permission is the same.
Monitoring Admin Behaviour
In NetSuite, the Administrator role gives users broad transactional powers — and with that comes the potential for fraud. In an ideal world, no one user would be able to create, edit and delete transactions in a production account.
Regularly monitoring and reviewing all transactional changes made by users with admin privileges is a key part of prepping for SOX compliance — not to mention a best practice for staying safe. However, detecting these changes is more difficult than you might expect. As a result, even if you trust your team completely, audit readiness can be a challenge.
The root of the problem is that in NetSuite, some scripts and workflows will execute as an administrator, even if they're not triggered by a user with admin privileges. The result is hundreds or even thousands of false positives when you run a search of system notes for transactional activity. Here's a short explainer video:
Cleaning Up Unused Roles
Access management in NetSuite is much more difficult when you have unused roles in your system. Like other forms of technical debt, used roles make every decision about access control more difficult. And the longer you put off a cleanup project, the worse the problem gets.
Two types of roles are candidates for cleanup:
- Unassigned roles that are not assigned to anyone
- Unused roles that are assigned but not in use
To find unassigned roles, simply run a search of the employee record and group the results by role. Any user role that isn’t on the list is not assigned to anyone.
To find unused roles, run a search of the Login Audit Trail (Setup>Manage Users>View User Login Audit Trail) for all logins in the last six months. If the role is not on this list, it is not in use.
In a busy account, these searches may time out. To work around the problem, narrow your search to just the roles you are concerned about.
Why it's easier with Strongpoint
Strongpoint comes bundled with out-of-the-box searches for identifying unused and unassigned roles in NetSuite.
Strongpoint provides an extra level of security and peace of mind, automatically storing deleted roles in a permanent archive that can be restored at any time.
As we mentioned above, Strongpoint is the only solution that finds scripts that execute as a specific role. You can learn more about this useful feature here:
Reviewing Permission usage
Every time a record is edited, NetSuite creates a system note that describes what was changed, when it changed, by whom and by what role. Using this, we can work backwards to find out what permissions are being used to change data.
If the record has system notes, and there are no system notes relating to users creating or editing the relevant record, the permission is not being actively used (ie, it is not being used to enter or change data/settings).
However, a permission that is not actively being used may include navigation elements that aren't captured in system notes. So if you're using this method to clean up NetSuite permissions, any candidates you identify should be set to View — not deleted — to prevent navigation issues.
Finally, if you find you need to set a permission to View (or to remove a permission) from a group of custom roles, you can make that change using a mass update. However, be VERY CAREFUL that you are selecting the correct roles!
KEy strongpoint reports
Strongpoint comes with three out-of-the-box reports to help you review permission usage:
PLANNING AND MANAGING A CLEANUP PROJECT
Cleaning up unused roles and reviewing permission usage are just two parts of a comprehensive access review project. This presentation walks you step-by-step through the cleanup process:
Managing Segregation of Duties (SoD)
Segregation of duties is the concept that the same person should not be able to complete subsequent steps on the same chain of transactions. For example, a person who could write checks and also balance the bank account could cover their tracks in a fraud.
Segregation of duties is obvious a big concern when reviewing NetSuite roles and permissions. It's a critical part of SOX compliance, and it's also increasingly called for in private companies.
Standard practice for maintaining segregation of duties is to divide responsibilities between different people with different roles. It can also be achieved by adding a control step, such as a secondary review or approval, on one part of a transaction.
The biggest mistake companies make when implementing SoD is that they don’t clean up their user roles first. The second biggest mistake is that they get too tied up cleaning up their roles. With that in mind, we can chart a much simpler path to get live with SoD:
- Find and deactivate all unused and unassigned roles
- Find and remove all unused role assignments
- Check for SoD conflicts within roles using Strongpoint’s rules library
- Check if the conflicting permissions are being actively used; if not, set them to “View” to resolve the conflict.
- Resolve any remaining conflicts by building smart controls using Strongpoint Agent.
- Check for multi-role conflicts and resolve them using Agent.
Watch the webinar
Segregation of duties doesn't have to be stressful. Watch our webinar and learn how to get up and running in record time:
SOX Compliance and Access Controls
As mentioned above, SoD — and access review in general — is a big part of SOX compliance. Auditors want to see that fraud prevention controls are built into the system and supported by well-defined roles and permission assignments.
The problem is that traditional SoD access reviews are snapshots in time. NetSuite teams prepare their roles and permissions for quarterly review, often at great expense. This approach requires extensive manual review of related changes and hours of work investigating false positives. As well, it doesn't give you — or your auditors — any confidence that conflicts occurring between audits will be caught and addressed.
The result is that audit costs balloon, stress levels are high and material deficiencies which further compound both issues are common. What;s more, there's no real protection built into the system, so even if you can struggle through an audit you're not really protected against fraud, which is the point of SOX to begin with.
the continuous compliance approach to access management
Strongpoint is the only native SoD solution for NetSuite. Based on our 'continuous compliance' approach to SOX, it monitors roles and permission changes on an ongoing basis, giving you an audit-ready look at access, at any time.
Strongpoint can also block particularly unsafe changes, such as granting Admin rights without prior approval. It implements quickly, so you can get up and running with less stress.
Pre-built libraries of rules and tools integrate into the employee record give you the ability to quickly implement detective, blocking and mitigating controls that help control access to critical roles and permissions — and prove it to auditors.
Take a Deep dive into Sox
Access is just one part of SOX compliance in NetSuite. We've got a three-part webinar series walking you though everything you need to know to make compliance easy and reduce the stress of an audit:
SEE IT IN ACTION
Find out why some of the hottest unicorn companies trust Strongpoint to manage access, compliance and more.