NetSuite security, without proper experience, can be difficult to implement and maintain. The goal of this post is to outline some common mistakes made when configuring security in NetSuite and provide best practices for avoiding those mistakes to help your organization mitigate risk.
- Over-extending the Administrator Role
The most common mistake in NetSuite security configuration is over-extending the Administrator role. The Administrator role has the virtual keys to the NetSuite kingdom, including full visibility into all areas of the NetSuite account and complete access to the Setup Manager, where system features and billing information are available. Given the power of this role, it is crucial that all actions taken in NetSuite under the context of the
Administrator roles are subject to heavy scrutiny, and that consideration is given to the following areas:
- Access reviews: it is important to understand that users with the Administrator role and the Administrator role itself do not show up in access reports in NetSuite. This lack of visibility is an important consideration with regards to auditing. Best practice here is to limit the Administrator role to a small number of users and create new roles with elevated permissions (if needed) that will show up in access reports.
- Consultants / integrated software: determining the exact permissions required for a specific user can be difficult and this problem is compounded when dealing with external consultants or access for a specific integration need. Oftentimes, the Administrator role is assigned as a simple solution that does not require an answer to the question: “What permissions does this user need?” Granting the highest level of access to your NetSuite account just because it’s easy is not the best practice.
The recommended approach involves a few steps, but can save you from headaches down the road:
1) Conduct up-front analysis to determine what permissions a given user will need. If a consultant, determine their scope of involvement: which business processes and NetSuite environments (production vs. sandbox). For integration users, map integration workflows to permissions and build users / roles accordingly.
2) Verify and test access in a development environment such as a NetSuite sandbox. This will allow you to verify that users / roles have the needed permissions without affecting production data.
3) Assign the validated users / roles as needed to grant access.
4) Finally, be sure to revoke access when no longer needed. This is especially important for consultants who often only need access for a limited time.
- Misunderstanding Global Permissions
NetSuite global permissions provide a method of assigning permissions to users that apply across all their assigned roles. A common misconception regarding global permissions is what happens when a user’s assigned roles have permissions that conflict with their assigned global permissions. In this case, the global permission will take precedence, even if the global permission is at a lower access level. For example, John Doe has the following security setup:
- A role with the ‘Accounts’ permission at ‘Full’ access level
- A global permission for the ‘Accounts’ permission at ‘View’ access level
In this example, John Doe would only have ‘View’ access level to the ‘Accounts’ permission since the global permission will always take precedence when there are conflicting permissions. The exception to this rule is when dealing with the Administrator role, which has full access regardless of global permissions.
- Ignoring Configuration Settings
NetSuite configuration settings and enabled features can greatly impact your security policies. Remember to take a look at the following settings:
Password policies: NetSuite has a few different options when determining how user passwords are managed. You can choose a strength policy to set the required complexity for passwords, a minimum required length, and password expiration. It is highly recommended to stick with the ‘Strong’ password complexity requirement (set out of the box) and to set a password expiration.
Saved search and report access: there are several methods of granting access to saved searches and reports that make it very easy to mistakenly provide a user with access to data that should be restricted.
This includes a few methods that circumvent the user’s assigned permissions:
1) Saved search ‘Run Unrestricted’ setting: when set allows users to see search results that they are restricted from viewing, based on their current permission set.
2) Report ‘Access’ tab: allows specified users to view custom reports regardless of their current permission set.
Avoiding these common mistakes will give you a more secure and efficient NetSuite environment.