By: Nicole Hofmann
NetSuite and your organization work in tandem to drive success, and they both share a common make-or-break factor that can either ensure smooth sailing or result in widespread data loss and expenses: security.
Two security areas that organizations can easily overlook are roles and permissions. Developing a process around creating, standardizing, maintaining, and reviewing roles and permissions can mitigate your security risks and keep your NetSuite environment safe. Below are a few security tips we commonly recommend to clients.
In addition to the initial security measures that we recommend for the entire organization (such as setting password requirements to "Strong" and turning on 2-factor authentication to prevent credential hijacking), most of NetSuite's security features are centered around the setup and maintenance of roles and their permissions. Creating roles is not a one-time task to be set up and never revisited. Instead, roles are a dynamic part of the user access cycle, consisting of two main sections: role creation and role maintenance.
NetSuite Role Creation
While NetSuite comes with many pre-built roles, we don't recommend you assign these roles to users. Rather, you should copy and edit a role, so you can customize it for your organization’s specific variation of that role. For example, if you have several A/R staff and you’d like to set up an “Acme A/R Staff” role for them, copy either the standard “A/R Clerk” or “Accountant” role and edit its permissions to align with your business needs.
When setting up initial roles in NetSuite, it's easy to be diligent. However, after a NetSuite implementation is complete and users with new roles need to be added, role creation tends to fall through the cracks and shortcuts are taken. Sometimes organizations want to avoid permissions errors, so they assign a "close enough" role to a new user and provide them with more access than needed. We don't recommend this practice because it can lead to mistakes, which can cause data errors and create more work for others. To avoid giving users unnecessary access, it's crucial to establish a process for setting up roles and assigning them to new users. In addition, creating a matrix of employee role assignments and permissions will be beneficial when hiring new employees and setting them up in NetSuite.
"When setting up initial roles in NetSuite, it's easy to be diligent. However, after a NetSuite implementation is complete and users with new roles need to be added, role creation tends to fall through the cracks and shortcuts are taken."
NetSuite Role Maintenance
As you continue to use your NetSuite environment, roles and employees will change. To stay on top of your security, you should make reactive changes and conduct proactive reviews. You should make reactive changes to roles in response to real-world events, like termination. If an employee is terminated, make sure to follow all of the suggested steps for termination:
- Enter the termination date on their employee record
- Remove any granted roles and global permissions, and uncheck the “Give Access” checkbox
- Inactivate the employee record to prevent them from showing on lists
- If this employee was the only one using a role, inactivate the now-unused role,
Taking PTO could also trigger reacitve changes to roles. If an employee is taking an extended leave or vacation, you may want to assign a backup employee to take over their duties temporarily. While this is good practice, it's important to ensure the backup employee isn't given year-round access when they are only providing a few weeks of support. Make sure there is a process in place to give someone a backup role and then remove this role once it's no longer needed.
It’s just as important to do proactive reviews of roles as it is to make reactive changes. We often see successful NetSuite customers doing role reviews between once a quarter and once a year. This timeline may change based on your number of roles and employees. Here are some checks that you can do right now to improve your roles in NetSuite:
- Use the search function under Setup > Users/Roles > View Login Audit Trail to run a search for any user who hasn’t logged in within the past year. Access for these “orphaned” users should likely be removed
- Inactivate any role that doesn’t have an employee assigned. This can be checked with an employee saved search that groups by “Role” and includes a count of “Internal ID” in the results
- If any employee is still assigned the deprecated “Full Access” role, replace this with a different role. You can use the “Core Administration Permissions” checkbox on any role to simulate Full Access functionality
- Make sure you have no more than a few people assigned the “Administrator” role, as this role (either maliciously or accidentally) can make irreversible changes to your system. Also make sure than anyone assigned the “Administrator” role has a different role for day-to-day processes
- Ideally, assign non-Administrator employees a single role. If this is not practical, ask yourself if there is a good reason or if a secondary role should be removed.
On an ongoing basis, here are some other things around roles that you can monitor:
- Create a type “Login Audit Trail” saved search, add it to your reminders, and monitor any off-hours logins to make sure all of those are expected
- Regularly run an employee search to check for any unused roles and that employees are still assigned correct (and not too many) roles
- Create a type “Role” saved search and use the “Permission Change” fields to monitor changes in permissions made to roles
"We often see successful NetSuite customers doing role reviews between once a quarter and once a year. This timeline may change based on your number of roles and employees."
Most of your other ongoing role maintenance should be around permissions, primarily which privileges each role grants a user. The exact permissions needed in a given role will vary greatly from organization to organization, but there are still some general tips that you can apply to your NetSuite environment:
- Don’t overprovision by giving more access than what is needed. If someone only needs to look at invoices, set the permission level to “View” and not “Edit”. If you can’t figure out the correct permission to add, do some experimenting rather than giving a higher-access role.
- Follow the "more responsibility, less access" rule. Transaction access should decrease as responsibility increases. Managers shouldn’t be entering transactions.
- Use copy/past when trying to find permissions a user is missing. Copy the URL of the page someone can’t access from someone who can, paste the URL into the person with issues, and NetSuite will give the exact permission that needs to be added.
- Use Setup > Users/Roles > Show Role Differences to directly compare two roles
When maintaining your NetSuite role permisisons, you should consider the separation of powers and processes. No matter the size of your organization, it’s not prudent security practices when a single person is in charge of both steps and their approval. For example, users who can create journal entries should not be able to approve journal entries. We also recommend clients:
- Separate master records from transactions. Anyone who can create vendors should not be able to both enter and pay bills
- Separate multi-part transactions, Anyone who can create customer invoices should not be able to pay invoices
- Separate bank reconciliation from bank related transactions. This might be one of the only external checks against your financials statements.
Some of our smaller clients have gotten creative with the separation of duties. One client has their A/R department create vendors and invoice customers, while their A/P department creates customers and processes vendor invoices.
It may be intimidating to start making changes around roles and permissions, but keep in mind that you can phase in security changes. They don’t need to all be done at once, and each change for the better is still one step further in the right direction. Test security changes in a Sandbox environment first if this is available, make smaller groups of changes at a time to isolate issues and feedback, and take a risk-based approach by identifying your organization’s higher security risk and addressing those first.
Keeping roles and permissions under control is an ongoing process, but certainly an important one for maintaining security in your NetSuite environment. And it’s not something you need to tackle alone. Kraft Enterprise Systems (KES) can help with a high-level review as part of our Customer Care Plans, which include a Health Check, or do a deeper dive with our Role Audit to drill down to individual permissions.
Contact us if you'd like discuss ways we can help you with your NetSuite security.
Why KES Systems Solutions?
As a full-service NetSuite Solution Provider, we're here to help you implement and optimize NetSuite to take full advantage of its capabilities.