Continuing our series on security updates as part of NetSuite’s biannual releases, below are the components of NetSuite’s latest release that may have an impact on your organization’s security configuration. Enjoy!
Enhanced GL Audit Numbering with GL Impact Locking
GL Audit Numbering applies gapless numbering sequences to all GL posting transactions, which can help organizations meet international compliance requirements. Prior to 2017.1, GL audit numbering sequences could only be generated from the period close checklist. With 2017.1, a new menu has been added to manage GL audit numbering, which can be found at Transactions > Management > GL Audit Numbering. This menu provides the following options:
- Setup and run GL Audit Numbering sequences, with two options:
- Review the GL impacting transactions to be numbered
- View the history of GL audit numbered transactions
- Verify the GL audit numbering status of GL impacted transactions
The Manage Accounting Periods permission is required to access the GL Audit Numbering menu, with View access required to review, view, and verify while Full access is required to setup and run.
GL impact locking, locks the GL impact of a transaction that has been assigned a permanent GL audit number. Further changes to a transaction with a locked GL impact automatically generates a GL Impact Adjustment Copy and a GL Impact Adjustment Reversal transaction, which will be displayed on the GL impact view of the original transaction. This feature is hidden and can only be enabled by opening a support case with NetSuite.
New Options for Two-Factor Authentication
Users can now generate two-factor authentication verification codes with an authenticator application. Authentication apps must support the OATH TOTP standard, which includes several third-party apps in addition to Google Authenticator and Microsoft Authenticator. Authenticator apps can be set as primary or backup two-factor authentication methods.
SAML Single Sign-On Enhancements
There are two enhancements to SAML Single Sign-On with 2017.1:
- IP address rules now apply to users logging into NetSuite with a SAML role
- Password expiration notices are no longer sent for SAML roles
Absolute Session Timeouts for Web Services and UI Access
The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. One of OWASP’s guidelines dictates that all sessions should implement an absolute timeout, regardless of session activity. More information on OWASP session timeout best practices can be found here: OWASP Session Timeout. As stated by OWASP, a best practice regarding session timeouts is to avoid an “infinite” session timeout. In other words, a user’s session should expire at some point. To adhere to this best practice, NetSuite has implemented an absolute session timeout for user interface sessions of 24 hours and web services of 1 hour.
Inclusion of Role in System Notes
System notes generated as of the 2017.1 upgrade will now include the role that the user was logged in under at the time they made the change, making identification of changes made by power users much easier. Changes made by the system will reflect the Administrator role. This new field will need to be manually added to saved searches and sublist views where needed.
Enhanced Security for Admin Scripting
Both SuiteScript 1.0 and 2.0 will now have enhanced security to limit changes that can be made via script to entity records with the Administrator or Full Access roles. Scripts will no longer be able to do the following:
- Create or delete an entity record that has the Administrator or Full Access role
- Edit an entity record so that the entity gains or loses an Administrator or Full Access role
- Edit the password or email of an entity that has the Administrator or Full Access role
These restrictions also apply to scripts that are running under the context of the Administrator or Full Access role.
Four new permissions have been introduced as part of the 2017.1 release.
Employee Search - explicitly controls the ability to search for employee records via the user interface or script.
Employee Navigation - provides access to the Lists > Employees menu in the user interface.
Bundle Audit Trail – provides access to the bundle audit trail without the need for the SuiteBundler permission.
SuiteScript Scheduling – previous NetSuite releases required the Administrator role to execute a scheduled or map/reduce script via script APIs. With 2017.1, this can now be accomplished with a role that has the SuiteScript Scheduling permission.