With the release of version 2016.2 of NetSuite, there are several updates that can have an effect on your NetSuite security configuration. The goal of this post is to identity key security updates made in the latest release of NetSuite and help you understand why they may be important to your organization.
Five Administrative Permissions Separated from the Administrator Role
The Administrator role in NetSuite consists of many permissions that are hardcoded to the role itself and not available for assignment to other roles. With this release of NetSuite, five of those hardcoded permissions are being made available for assignment to other roles:
- Enable Features
- Set Up Company
- Set Up Shipping
- View Billing Information
- Web Services Log
With regards to security, it is always a good idea to limit the number of users in your NetSuite account that have the Administrator role. As permissions that were once hardcoded to the Administrator role are made available to other roles, it will become easier to assign administrative tasks to other users without having to assign those users the Administrator role.
New Trusted Devices and Configuration Options for Two-Factor Authentication
Two-factor authentication adds additional security to a NetSuite account by requiring users to log in using something they know (email address and NetSuite password) and something they have (SMS or RSA SecurID). In previous releases of NetSuite, users were required to pass both stages of authentication in order to log into NetSuite.
With the latest release, users can now choose to mark devices or browsers as trusted, which means they only need to enter their email address and password when accessing NetSuite via a trusted device or browser. NetSuite administrators will have the option to set a duration for each security role to determine how long devices or browsers remain trusted before requiring two-factor authentication again. The duration can be set under Setup > Users / Roles > Two-Factor Authentication Roles.
New Notifications for Password Expiration and Password Change
With 2016.2, NetSuite will also include email notifications to all users (except Customer Center users) regarding password expiration and password changes. For password expirations, NetSuite will send email notifications 14 days, 7 days, 3 days, 2 days, and 1 day prior to expiration to remind users that they should change password. For password changes, NetSuite will send email notifications anytime the password associated with their email address is changed. This will enable users to be more aware of any fraudulent attempts at changing their password.