As users make security changes, there are often requests to retain excess access. The key is to consider the job being done and ask lots of questions.

In this post, we're pressing the question "How much access is too much?".

Security Fixes for NetSuite: Is Excess Access A Good Thing?

For example, the CFO role should be an executive role, not a job that involves entering journal entries. In most organizations, that same thinking should apply to the Controller position. A Controller may help shape a journal entry, assist with getting the accounts right, etc., but the Controller should be asking someone else to make an entry, not processing transactions.

Executive jobs are not transactional jobs. There are plenty of examples where executives process transactions as a means to defraud the organization.

This questioning trickles through to other roles as well, and it’s important to ask the same questions. What is this person’s job? Their responsibilities? Their role in the organization? What access is appropriate?

In many cases a user’s request for access is about convenience. While a user might ask for view-only access for customers, don’t be afraid to just give access to a report with the same data. Why? It’s easy to make the case that someone already has read-only access to a window, now they just need additional access to make a small change. It feels like a smaller request than going from a report to being able to change a customer. If there are alternative ways to accomplish the same result, use those. If not, companies need to consider the risk/benefit of allowing excessive access.

Requests like these may also be made to support or backup another individual but granting access year-round to back up two weeks of vacation leaves open a pretty big hole for most of the year. It’s convenient for the user and administrator to grant this access, but it’s a poor security choice. Is the benefit of not changing security twice a year worth 50 weeks of risk? A well-designed program to assign and remove access quickly as needed helps reduce year-round risk.

This won’t solve all your company's security needs or plug every hole, but the items we’ve covered in this blog series can address significant, pervasive issues and provide a solid foundation for long-term security improvement.

Read more in the Easy Security Fixes for NetSuite series:

• Vendor Setup
• NetSuite for Mitigation
• Minimize System Administrators
• Fiscal Periods
• Unnecessary Access
• Account Maintenance