Introduction

NetSuite roles and permissions govern access to the application. From both a security and user experience perspective it is critical that these are configured correctly. Managing roles and permissions is not straight forward. Fortunately, NetSuite provides highly customizable user roles and related permissions that allow NetSuite Administrators the ability to customize access to meet their specific business needs.

Salto Tip: As new NetSuite custom record types are added to the system, the NetSuite user role interface is updated to incorporate these new record types. Permissions can then be assigned to the custom records as for other native records.

Importance of Customizing Roles and Permissions

One of the great things about the NetSuite application is the ability to customize the system to comply with your requirements. This is equally important for customizing access to the application, in this case through custom roles and associated permission levels.

Whether you are a public company or not, it is essential that you understand the access granted to each user. Access should be aligned with the “principle of least privilege”. This is the concept that users should only be granted access to a system to perform their assigned duties and nothing more (or less).

NetSuite allows for four levels of access:

• View - Read only access
• Create - Ability to view and create records, but not edit
• Edit - Ability to view, create and edit records, but not delete
• Full - Ability to view, create, edit and delete records

Salto Tip: Don’t just rely upon the user roles and permissions to determine user access. There are many other areas of NetSuite that dictate access to a given record or function within the application. Let’s explore a few.

Global Permissions

When the global permissions feature is enabled in your NetSuite environment, you are able to add specific permissions to employee records that will apply to every role granted to an employee. These override any user role restrictions. As such, it is best to use this feature sparingly, or better yet not at all.

You can enable this system feature by navigating to: Setup > Company > Enable Features > Employees

Screenshot showing the “Global Permissions” feature in NetSuite

Audiences

When working with NetSuite customizations such as Suitescripts and Workflows, you have the ability to designate access to a given script or workflow at the user role level. In many cases it will be appropriate to grant access to “All Roles”, but in others it will be important to restrict to a subset of roles.

You can set the appropriate access by navigating to the audience tab on a given record.

Screenshot showing the “Audience” tab on a Script Deployment record

Saved Search Configuration

When creating a saved search in NetSuite you have the ability to customize user access to the saved search (and its results) in numerous ways. Firstly, the “Public” checkbox, when checked, allows users with sufficient permissions to access the saved search. Next, you can allow users to access the saved search results even if their user roles would not normally allow access. This can be done by checking the “Run Unrestricted” check box. You can also determine whether users can access underlying records in a saved search by checking the “Disallow Drill Down” check box.

NetSuite provides a good example in the system field help.

An unrestricted search with summary-level results listing sales reps’ revenue totals could disallow drill down, to prevent viewers from seeing transaction-level data that includes sensitive commission amounts.

Screenshot showing the “Results” tab in a Saved Transaction Search

There are many different ways to manage your end user access to the system, so keep these top of mind when configuring user roles and permissions. It is critical that you customize your NetSuite user roles and related permissions to ensure that user access is limited to what a user needs functionally from both a security perspective and end user experience perspective. If you have users reaching out consistently due to role permissions violations it might be time to perform a more holistic review to make sure users have the access they need to be successful.

NetSuite continues to innovate across all key areas of the platform. Let’s explore some of the latest enhancements to these features in 2024.

*

New NetSuite Features

With the 2024.2 release, NetSuite added a new standard role to the system. The “CRM Role” allows users to manage sales, CPQ, marketing, support and other CRM related activities in NetSuite. This role can also be used to work with Campaigns, Opportunities, Quotes, Sales Orders, Cases, other customer-related records, and CPQ functionality.

In addition, NetSuite added another standard role to the system. The “View and Approve Role” grants limited access to NetSuite. Assigned users can perform basic tasks, such as viewing or approving reports, but are prevented from completing more advanced tasks. A good use case would be for a manager who needs to review their team’s performance and approve purchase requisitions, but does not need to do anything else within NetSuite.

As with all standard roles, these can (and should) be customized to increase/reduce the level of access to one or more of the default permissions and related permission levels.

Link to the 2024.2 NetSuite Release Notes in SuiteAnswers

Note: NetSuite account access is required to access these Release Notes

Challenges with Managing Customization Manually

Migrating user roles and permissions manually is a labor intensive and time consuming task, riddled with the risk of human error throughout. Validating that you have accounted for every role permission and that each permission level is set appropriately even for a single role is painful. So imagine having to do that when creating many user roles at once.

Many NetSuite customers, especially those preparing for IPO, will perform a segregation of duties (SOD) review of their existing user roles to identify conflicts within roles and across roles. This process in itself takes a long time to complete, but ultimately adds value to overall security of the system.

Now imagine you have to migrate all of the new user roles as well as modifications to existing roles from your Sandbox account to your Production account. This process is not value add and given the expected volume of changes, the risk of human error is very HIGH.

Another use case that makes managing customizations for user roles and permissions especially challenging is that of managing multiple customizations simultaneously. This is an everyday occurrence for most NetSuite Administrators. User roles are connected closely with custom record customizations and custom form customizations. If you attempt to migrate user roles without related customization available in the target environment (generally Production) then you are going to run into dependency issues.

Identifying dependencies for a NetSuite deployment is challenging for any NetSuite Administrator and often becomes a point of frustration in the deployment process. This can slow down the ability to deliver custom solutions to the business, so the value cannot be realized as quickly as end users would hope for. Having the ability to quickly identify deployment dependencies would help to overcome this common challenge.

Check out the cost of getting deployments wrong (with a calculator) here.

Now, let’s explore solutions to these challenges.

Solutions for Managing NetSuite Customizations

As we have already discussed, it can be incredibly painful for any NetSuite Administrator to manage NetSuite user roles and permissions between different environments, especially if attempting to do it manually. The risk of any one role permission or permission level not being set correctly is HIGH when considering the sheer volume of permission permutations and combinations.

NetSuite provides some solutions that exist natively such as Copy to Account, SuiteBundler and SuiteCloud Development Framework (SDF).

If you are working across multiple NetSuite environments with active development and customization then there are alternative solutions to consider. Salto is a great alternative - check out the Salto SuiteApp. The Salto platform allows NetSuite Administrators to perform direct environment comparisons to easily identify any potential deployment conflicts.

For user roles and permissions in particular you can run into deployment conflicts where custom records have been created in one environment, but not another. This can result in deployment conflicts and stop you in your tracks.

Salto allows NetSuite Administrators the ability to quickly execute system rollbacks in the case of customizations being deployment that don’t have the desired impact in the Production environment. The need to perform a rollback should be uncommon, however when needed they often need to be expedited. Doing this manually under time pressure can lead to further unintended issues.

Imagine deploying a NetSuite user role to Production only to find out that the role has the ability to delete customer invoices. Before anyone is able to assign that role to a user you would want to rollback that deployment as quickly as possible, with the appropriate change management documentation in place.

Now that you have successfully deployed your NetSuite user roles to Production, let’s consider some best practices in this area.

Best Practices When Working With NetSuite User Roles

1. Customize User Roles for Precision: Create and manage custom user roles that align with specific job functions. This ensures granular control over user access and minimizes potential security risks.
2. Prioritize Role-Based Access Control (RBAC): Strictly adhere to the principle of least privilege. Assign users only the permissions necessary to perform their specific tasks.
3. Prevent Role Conflicts: Conduct a thorough analysis of your organization’s roles and responsibilities to identify potential conflicts of interest. Document and enforce rules to prevent unauthorized access and actions.
4. Leverage Custom Form Restrictions: Optimize the NetSuite interface for each user role by tailoring forms and fields to their specific needs. This enhances efficiency and reduces the risk of errors.
5. Validate User Role Center Types: Before creating a new user role, ensure that you select the correct center type to avoid unnecessary rework.
6. Future-Proof Your NetSuite Configuration: Design your customizations to be role-type agnostic rather than role-specific. This makes your configuration more flexible and adaptable to future changes in your organization's structure.
7. Utilize Role Comparison Tools: Employ the “Show Role Differences” screen to export and compare user roles and permissions. This aids in identifying discrepancies and inconsistencies.
8. Streamline Sandbox Testing: Create non-SSO user roles for each SSO user role to facilitate seamless testing in your sandbox environment. This simplifies the testing process and minimizes disruptions to your production environment.
9. Avoid Assigning Built-in Roles: With the exception of the “Administrator” and “NetSuite Support Center” roles, refrain from assigning standard NetSuite roles to users. This practice can lead to unintended consequences and security vulnerabilities.
10. Grant Appropriate Currency Permissions: Verify that user roles requiring the ability to modify transaction exchange rates have the necessary “Edit” permission on the “Currency” role.

Salto Tip: This is very specific but a common user role permission that trips NetSuite Administrators up.

Useful references

• NetSuite Roles Overview
• Standard Roles Permissions Table
• NetSuite Permissions Overview

• From here you can access the “NetSuitePermissionsUsage.xls” file

• 2024.2 NetSuite Release Notes

For more Best Practices to manage your NetSuite customizations, check out Salto’s blog posts that explore some of the things that NetSuite Developers and NetSuite Administrators should be leveraging within the NetSuite ecosystem.

Final thoughts

NetSuite user roles and permissions are a cornerstone of security and efficiency. A well-balanced approach is crucial to empower your end users without compromising data integrity. Overly permissive roles can expose sensitive information, while overly restrictive roles hinder their productivity.

Taking a more strategic approach involves creating distinct role types, each with a specific set of permissions. By categorizing roles into broad types, you can efficiently manage access levels across various business teams, such as by region or subsidiary.

For businesses small and large, implementing robust controls is paramount. Segregation of duties ensures that no single individual has excessive authority, and the principle of least privilege dictates that users should only have the minimum permissions required to perform their tasks. By adhering to these principles, you can safeguard your NetSuite environment while optimizing the user experience.

Lastly, if you’re a NetSuite Administrator, make sure to take advantage of the tools available to you to manage your user roles and permissions customizations seamlessly.