Continuing our series on security updates as part of NetSuite’s biannual releases, below are the components of NetSuite’s latest release that may have an impact on your organization’s security configuration. Enjoy!
SuiteApprovals for Journal Entry
The SuiteApprovals for Journal Entry SuiteApp is targeted to be available fourth quarter of 2017 and will provide customizable options for determining which users are authorized to create, access, edit, and approve journal entries. Customization options will include the ability to set limits to determine if approval is required and route via existing hierarchies or custom criteria.
SuitePeople Employee Record Permissions Enhancements
In accounts with SuitePeople enabled, additional options are available for customizing employee permissions:
- Advanced Employee Permissions - Employee Public, Employee Confidential, and Employee Administration. These permissions provide granular access to fields and sublists on the employee record with the ability to restrict information based on employee hierarchy, class, department, location, or subsidiary.
- Customizable Employee Permissions - with Advanced Employee Permissions enabled, the Employee Public, Employee Confidential, and Employee Administration permissions can be customized to include specific custom fields and sublists on the employee record.
Permission Updates for Intelligent Transaction Matching
The Online Banking Statement page has been replaced with the Reconcile Account Statement page and the following permissions have been deprecated as a result: Find Matching Online Banking Transactions and Online Bank Statement. Any users previously assigned these two permissions will now be assigned the Reconcile permission in their place.
Vendor Time Approval
In previous releases of NetSuite, any time entered by a vendor was automatically approved. Now, you can assign employees to approve vendor time on the vendor record or require vendor time approval for a given project that has the project time approval preferences defined. If no approvers have been defined for a vendor, their time will be automatically approved.
Session Management Security and Usability Enhancements
The following enhancements have been made to session management to improve usability and clarity:
- Account administrators can now customize the idle session timeout in minutes on the General Preferences page.
- Users now see a 60 second countdown warning when their session is about to expire and can choose to keep the session active by clicking a button in this warning.
- If a user has multiple browser tabs open, session management will now be synced across these tabs. Tabs will be locked on logout and unlocked on login.
- When a user changes role, any tabs left open from the previous session will be shown as inactive and locked if the user switches back to that same role.
- Users logged in with a role that has access to view unencrypted credit card data will be subject to an idle session timeout of 15 minutes in accordance with section 8.1.8 of PCI DSS.
- In previous versions of NetSuite, a 24-hour absolute session timeout was added. This has been reduced to 12 hours in accordance with NIST Digital Identity Guidelines for Authentication and Lifecycle Management.
Introducing Secure and HttpOnly Session Cookie Attributes
Session cookies will now include Secure and HttpOnly flags. The Secure flag will prevent transmission of the cookie over an unencrypted channel. The HttpOnly flag prevents the cookie from being accessed through client-side script. Additional information is available at the following links:
- Secure (https://www.owasp.org/index.php/SecureFlag)
- HttpOnly (https://www.owasp.org/index.php/HttpOnly)
System Notes for Workflows
Changes to workflows now log the following to system notes: that a change was made and the workflow revision number. More detailed information about a given change is still available in the history subtab on the workflow definition page.
As NetSuite continues to update security, we will continue to break down the changes and what they may mean for your environment. If you are looking for more NetSuite security information, tips, and best practices check out the book, NetSuite Security and Audit Field Manual.