No ERP software provides 100% of any organization’s required functionality without some modification. NetSuite offers several tools to customize the software to match your unique business processes. One method that is discussed in the SuiteBuilder Customization Guide is Custom Records. Fastpath knows that customization is often required to run the best business processes, so we will also share how customization does not mean you need to compromise your security posture. You can have both customization in NetSuite, and access security solutions with Fastpath.
Custom Records allow users to collect information unique to your business, and this information can be attached to entities, items, or transactions using custom fields. Since they are often used to hold sensitive company information, they should be secured from unauthorized user access like any other part of the application that contains critical data.
This blog post explains the security settings that affect the use of Custom Records in NetSuite, including:
- Providing Access to Custom Record Types
- Providing Access to Custom Record Instances
- Controlling Field Level Security in NetSuite
- Additional Settings
- How Fastpath Can Help with NetSuite Custom Record Security
Access to Custom Record Types
Depending on their access permissions, users can view or modify custom record types. To view a list of Custom Records, go to: Customization > Lists, Records, & Fields > Record Types. NetSuite provides three methods to grant access to custom record types:
- Custom Record Type permission: This permission is assigned to users through role assignments or global permissions. This permission grants a user up to all four access levels (view, create, edit, or full) and controls the user's access level to all custom record types.
- Owner: This permission defaults to the creator of the custom record type; however, it can be changed to other NetSuite users if needed. The owner of a custom record type has full access to that specific custom record type.
- Managers: A custom record definition can be assigned one or more managers. A custom record type manager is a NetSuite user with full access to that specific custom record type and can see a list of all custom record types but without the ability to drill down.
Access to Custom Record Instances in NetSuite
Users can view or modify the data within the custom record type by granting them access to specific custom record type instances. The user access is configured through two settings on the custom record type and one of the fields within the custom record type:
- Owner: Defaults to the creator of the custom record type; however, it can be changed to other NetSuite users if needed. The owner of a custom record type has full access to that specific custom record type.
- Access Type: Defines the level of access to instances of a custom record type for users who are not the owner. The Access Type has three possible settings:
- Require Custom Record Entries Permission (default): Restricts access to only those with the Custom Record Entries permission. The owner of the custom record type will always have full access, but permission can also be assigned to users through roles or global permissions. This permission supports view, create, edit, and full access levels.
- Use Permission List: Restricts access to users with a role defined on the Permissions subtab of the custom record type. The owner of the custom record type will always have full access.
- No Permission Required: Makes this instance of the custom record type public. All users have full access and can modify the record if they get access to its entry form.
- Role Restrictions: Restrictions specified on a given role based on record values for department, class, location, employee, and subsidiary can also be applied to custom records. Check the ‘Apply Role Restrictions’ box to enable this setting when creating a custom record type field that is a List/Record type for class, department, location, employee, or subsidiary.
Field Level Security in NetSuite
Fields in custom record types support additional security settings to control who has access to the information in custom fields and how that information can be accessed through the record, search results, and reports. Access to a field can be controlled by role, department, or subsidiary.
When multiple access levels are granted for a user's role, department, or subsidiary, the highest access level is used.
- None: The field is not visible and cannot be changed
- View: The field is visible but cannot be changed
- Edit: The field is visible and can be changed
- Run: The field is visible in search and reports but cannot be changed (applies only to searches and reports)
In a case where multiple access levels are granted to a user via role, department, or subsidiary, the highest access level will take precedence. NetSuite also allows you to set the default access and search/reporting level for a custom field and apply them to roles, departments, and subsidiaries not defined on the access subtab.
Additional Settings for Securing Custom Records in NetSuite
Allow UI Access (enabled by default): When disabled, users are denied access to the custom record type using the user interface. Instead, instances of this custom record type can only be accessed programmatically using SuiteScript.
Allow Mobile Access (disabled by default): When enabled, instances of this custom record type can be accessed from mobile devices using the NetSuite iPhone app.
How Fastpath Can Help with NetSuite Custom Record Security
The power of Custom Record Types in NetSuite is that they allow users to extend NetSuite functionality. However, users should guard against unauthorized access to view and/or change critical values contained in them.
To further protect your NetSuite environment, Fastpath provides a suite of products for NetSuite that help you manage your access control challenges, streamline user provisioning, quantify your segregation of duties risk, and meet SOX and other regulatory requirements.
To learn more about securing your NetSuite application, watch our on-demand webinar, 50 NetSuite Security Tips in 40 Minutes for practical steps you can take right now.