NetSuite security, without proper experience, can be difficult to implement and maintain. The goal of this post is to outline some common mistakes made when configuring security in NetSuite and provide best practices for avoiding those mistakes to help your organization mitigate risk.
The most common mistake in NetSuite security configuration is over-extending the Administrator role. The Administrator role has the virtual keys to the NetSuite kingdom, including full visibility into all areas of the NetSuite account and complete access to the Setup Manager, where system features and billing information are available. Given the power of this role, it is crucial that all actions taken in NetSuite under the context of the
Administrator roles are subject to heavy scrutiny, and that consideration is given to the following areas:
The recommended approach involves a few steps, but can save you from headaches down the road:
1) Conduct up-front analysis to determine what permissions a given user will need. If a consultant, determine their scope of involvement: which business processes and NetSuite environments (production vs. sandbox). For integration users, map integration workflows to permissions and build users / roles accordingly.
2) Verify and test access in a development environment such as a NetSuite sandbox. This will allow you to verify that users / roles have the needed permissions without affecting production data.
3) Assign the validated users / roles as needed to grant access.
4) Finally, be sure to revoke access when no longer needed. This is especially important for consultants who often only need access for a limited time.
NetSuite global permissions provide a method of assigning permissions to users that apply across all their assigned roles. A common misconception regarding global permissions is what happens when a user’s assigned roles have permissions that conflict with their assigned global permissions. In this case, the global permission will take precedence, even if the global permission is at a lower access level. For example, John Doe has the following security setup:
In this example, John Doe would only have ‘View’ access level to the ‘Accounts’ permission since the global permission will always take precedence when there are conflicting permissions. The exception to this rule is when dealing with the Administrator role, which has full access regardless of global permissions.
NetSuite configuration settings and enabled features can greatly impact your security policies. Remember to take a look at the following settings:
Password policies: NetSuite has a few different options when determining how user passwords are managed. You can choose a strength policy to set the required complexity for passwords, a minimum required length, and password expiration. It is highly recommended to stick with the ‘Strong’ password complexity requirement (set out of the box) and to set a password expiration.
Saved search and report access: there are several methods of granting access to saved searches and reports that make it very easy to mistakenly provide a user with access to data that should be restricted.
This includes a few methods that circumvent the user’s assigned permissions:
1) Saved search ‘Run Unrestricted’ setting: when set allows users to see search results that they are restricted from viewing, based on their current permission set.
2) Report ‘Access’ tab: allows specified users to view custom reports regardless of their current permission set.
Avoiding these common mistakes will give you a more secure and efficient NetSuite environment.