Continuing our review on audit & security updates as part of NetSuite’s biannual releases, below are the components of NetSuite’s latest release that may have an impact on your organization’s audit or security configuration. Enjoy!
GL Audit Numbering Enhancement
You can now choose whether to exclude zero amount posting transactions from general ledger audit numbering. This preference is available under Transactions > Management > GL Audit Numbering Sequences and is called ‘Exclude Zero Amount Transactions’.
This includes the following transactions:
- Voided transactions
- Cancelled bills
- Item fulfillments for zero-amount items
Opt-In to Release Preview
Going forward, Release Preview environments are not automatically provided to customers and are instead only provided if a customer requests the environment. As these environments can be critical with regards to testing customizations in NetSuite’s new releases, each customer should carefully consider whether to opt in to the Release Preview environment.
Mandatory 2FA Now Enforced for Integration Access to NetSuite
As of 2018.2, two-factor authentication (2FA) for highly privileged roles was required when logging into NetSuite via the user interface. With the new release, this 2FA requirement will extend to integrations that use highly privileged roles. If your integration is authenticating to NetSuite with user credentials, you may want to consider using token-based authentication instead, which is not subject to the 2FA requirements or authenticating via a role that is not subject to the mandatory 2FA requirement.
*For further information on what constitutes a highly privileged role, please refer to the NetSuite Help Center.
Issue Token Endpoint Extended to Accommodate Mandatory 2FA Requirement
Due to the new two-factor authentication (2FA) requirements for integration access, the issue token endpoint is being extended to support input of a 2FA verification code. If you are using the issue token endpoint with your integrations to create user access tokens for token based authentication and a highly privileged role is used for authentication, you will need to use the new property ‘nlauth_otp’ on that endpoint to provide the required 2FA verification code.
Sandbox Domain Deprecation
Sandbox accounts are being moved from the sandbox domain (system.sandbox.netsuite.com) to the NetSuite domain (system.netsuite.com). As of February 28, 2019, the sandbox domain will no longer be available and sandbox accounts still on this domain will be inaccessible. To avoid losing access to your sandbox environment, initiate a refresh of your sandbox account, which will automatically move it to the NetSuite domain.
Core Administration Permissions Feature
The Core Administration Permission is a new feature added with the goal of reducing the need to use the standard administrator role. You can use the Core Administration Permission to grant administrative permissions to a custom role while restricting access to areas of NetSuite.
To use the Core Administration Permissions Feature, you must enable it on the Enable Features page where it is available under the Company > Access subtab. Once enabled, you will see the new field added to the header when editing a role. Instead of adding the administrator role to additional users and over granting access, consider whether the Core Administration Permission would fit your needs.
Plan to Deprecate the Full Access Role
The Full Access role is being deprecated as of the 2019.1 release. You will not be able to assign this role to new users and you should consider reviewing users who are currently assigned the Full Access to determine if they need the role or if it can be removed. If users do require access provided by the Full Access role, consider whether a new role with the Core Administration Permission can serve as a replacement.
Enhanced Options to Configure Subsidiary Restrictions for Roles
In previous NetSuite releases, there were two options for restricting user access to subsidiaries for a given role:
- Manually select the subsidiaries a role would provide access to on the edit role form.
- Do not restrict subsidiary access at the role level, which would default to the user’s default subsidiary specified on the employee form.
With 2019.1, there are additional options for specifying subsidiary access on the edit role form:
- All – grants the role access to all subsidiaries, including inactive subsidiaries.
- Active – grants the role access to all active subsidiaries
- User Subsidiary – restricts the role’s access to the user’s default subsidiary, which is specified on the employee form
- Selected – allows manual selection of subsidiary access for the role
When 2019.1 is released, existing roles without subsidiary restriction will be set to ‘User Subsidiary’ while roles with subsidiary restriction will be set to ‘Selected’ with the appropriate subsidiaries selected. It is recommended to review subsidiary access and make adjustments as necessary based on the new options available in the 2019.1 release.
New Employee Access Permission
When the Advanced Employee Permissions feature is enabled, the Employee Access permission will now be available for assignment to roles. Users with this permission added to one of their assigned roles will be able to give access and assign roles to employees for which they have access. When 2019.1 is released, this permission will not be automatically assigned to any roles and must be manually added where needed.
Mutual (Two-Way) Authentication for Outbound HTTPS Connections
With mutual authentication of HTTPS connections, both sides of the connection (client and server) must authenticate the connection. This is typically a need for highly secure communication channels and is sometimes required by regulatory bodies. This will now be supported for any NetSuite applications as of the 2019.1 release.
Log of Outbound HTTPS and SFTP Requests Now Available
Outbound HTTPS and SFTP requests made by an account are now logged and made available for reporting within NetSuite via the Outbound Requests log. The log will include the URL, method, result, and additional connection information. This log will be useful in auditing account activity and troubleshooting connection issues.
By default, the Outbound Requests log is available to administrators but can also be made available to other roles by adding the Outbound Request permission.
Reset of Long-Abandoned Customer Center Passwords
Initially announced in the 2018.2 release notes, passwords associated with website customers who met either of the following criteria have been reset:
- No login within the previous three years
- It has been more than 90 days since the customer registered and created a password, but then never logged in
Vendor Payment Approvals
Vendor Payments now support approval routing via SuiteFlow. This provides the ability to customize the process for approval or rejection of Vendor Payments and enables further segregation of duties in your business processes.
SuiteApp Marketplace Permission Replaces SuiteBundler Permission
The SuiteApp Listing page provides a location to find and install SuiteApps created via the Suitecloud Developer Framework (SDF). With 2019.1, the SuiteApp Marketplace permission is being added to control access to the SuiteApp Listing page and will also replace the existing SuiteBundler permission. This seems to be the next logical step in phasing out bundles and replacing with SuiteApps. With this release, only SuiteApps from NetSuite will be available under the SuiteApp Listing, but look for this to be expanded upon in future releases.
SuiteApprovals is a NetSuite provided SuiteApp that provides capabilities for managing approval processes for a variety of record types. With the third major iteration of this SuiteApp, the following enhancements have been made:
- Support for Vendor Bill and Purchase Order record types
- Super Approval – this feature provides the ability to bypass the standard approval process by designating users as a ‘Super Approver’. Users with this ability can bypass the approval chain and approve or reject a record.
- Skip Approval – when the ‘Route Approvals Based on Amount’ setting is enabled for an approval rule, you can enable the skip approval feature by selecting the ‘Require One Level of Approval Based on Approver’s Approval Limit’ option under the Approval Routing section of the rule record. This will automatically route to the approver who has the required approval limit and allow final approval or rejection of the record.
Creating a proper security environment within NetSuite can be a daunting task. Our NetSuite Security Matrix helps build roles and permissions based on your company's specific security needs. Get started by downloading the NetSuite Matrix now.