Successfully maintaining security in Oracle NetSuite includes making sure the users and roles are set up correctly. Roles identify what a person can (and can’t) do with information. These roles can then be assigned to the system users, including employees, vendors, partners, or customers.
One of the reasons why so much attention is put on role definitions in NetSuite is to address the problem of Segregation of Duties (SoD) conflicts. When the same person can control both sides of a transaction (for example, create a vendor and then pay that vendor without oversight), an SoD conflict exists. The conflict is that there is the potential for the individual making the transaction to fraudulently create a vendor account that will channel company funds to themselves and then freely pay that vendor without worrying that anyone will be checking their work.
As Forbes points out in Why You Need To Segregate Duties In Your Accounting Department, lack of proper SoD controls can result in more than just fraud; it can also lead to expensive errors. As the author points out, “With only one set of eyes on data entry, analysis, and financial reporting, accidental errors may be overlooked.”
In this blog post, we cover key points to help you ensure secure role design in NetSuite with the help of Fastpath’s Security Matrix:
- Standard roles in NetSuite and why they should be customized
- Creating custom roles in NetSuite
- How Fastpath can help with NetSuite security: The Fastpath NetSuite Security Matrix
Standard roles in NetSuite Should Be Customized
NetSuite comes installed with pre-configured standard roles; however, rather than using these roles “out of the box”, NetSuite recommends customizing these roles to meet the unique requirements of the people who will be using the system. Unfortunately, designing secure roles for your users can be much harder than it sounds.
Creating custom Roles In NetSuite: Plan Carefully
Secure custom roles in NetSuite should be planned and designed carefully, not configured using a hit-and-miss process, hoping to get it right eventually.
Custom roles are assigned permissions that govern the record types, tasks, and pages that users can access. Permissions are generally assigned one of four access levels: View, Add, Edit, or Delete.
- View: The user only has access to view files. The user cannot create a new file, edit an existing file, or delete existing files.
- Create: The user can create a new file and view existing files but cannot edit or delete existing files.
- Edit: The user can create, view, and edit files, but cannot delete them.
- Full: The user has full access to create new files and view, edit, and delete existing files.
Permission lists can be reviewed on any role definition page by going to Setup > Users/Roles > Manage Roles. Some activities in NetSuite require setting minimum permission levels. The NetSuite Security Matrix will help administrators identify the minimum permissions required for each activity.
NetSuite security objects are typically assigned by user roles. NetSuite also allows the use of global permissions to override role-based security. Global permissions are user-based, not role-based, and can be used to adjust security settings for users. The NetSuite Security Matrix also includes a list of global permissions that can be used to further refine the security settings of each user.
How Fastpath Can Help with NetSuite Security
To make designing user roles easier, our NetSuite experts built Fastpath’s NetSuite Security Matrix. The NetSuite Security Matrix helps administrators create new custom roles based on the standard roles in NetSuite. Once created, these customized roles can be quickly reviewed for Segregation of Duties violations and signoff. Once approved, administrators can add these custom roles to NetSuite.
The Security Matrix is an Excel spreadsheet that contains several tabs listing each of the standard roles in NetSuite along with the global permissions and the minimum permission levels for each permission. There is an additional tab for constructing custom roles. Here’s how to get started:
- Follow the instructions to copy one of the standard role definitions into the Roles tab to create a new custom role. Dropdowns in each cell let you change each role permissions as needed.
- Add as many new roles as needed.
- You can also design Global Permissions using the Global Permissions tab to add, remove, or adjust permissions.
- When complete, process owners can review the new roles for segregation of duties conflicts and provide signoff.
Designing secure roles is an important part of securing your NetSuite application against fraud, and the NetSuite Security Matrix is a tool to help administrators design more secure roles for NetSuite.
For even more security for your NetSuite application, take a look at Fastpath Assure’s line of products developed specifically for NetSuite. Developed by auditors for auditors, Fastpath Assure simplifies secure user access management, reduces Segregation of Duties risk, and facilitates SOX and audit compliance. Fastpath products include:
Access Risk Monitor – Use pre-defined rulesets to identify and mitigate SoD threats.
Audit Trail – Identify changes to critical NetSuite data, including before and after values, the date the changes were made, and who made them.
Identity Manager – Lets business process owners request user access without the need for IT intervention.
Security Designer – Create and test new roles for potential SoD conflicts before placing them into production.
Risk Quantification – Calculate the financial risk presented by the SoD risks in your NetSuite environment so you can focus on the areas of highest risk first.
Fastpath is proven to show a positive return on investment for any size company, typically paying for itself within the first year.
Download your free copy of Fastpath’s NetSuite Security Matrix, and be sure to contact us if you have any questions.