NetSuite security, without proper experience, can be difficult to implement and maintain. The goal of this post is to outline three common mistakes made when configuring security in NetSuite and provide best practices for avoiding those mistakes to help your organization mitigate risk.
Over Extending the Administrator Role
The most common mistake in NetSuite security configuration is over extending the Administrator role. The Administrator role has the virtual keys to the NetSuite kingdom, including full visibility into all areas of the NetSuite account and complete access to the Setup Manager, where system features and billing information are available. Given the power of this role, it is crucial that all actions taken in NetSuite under the context of the Administrator role are subject to heavy scrutiny and that consideration is given to the following areas:
- Access reviews: it is important to understand that users with the Administrator role and the Administrator role itself do not show up in access reports in NetSuite. This lack of visibility is an important consideration with regards to auditing. Best practice here is to limit the Administrator role to a small number of users and create new roles with elevated permissions (if needed) that will show up in access reports.
- Consultants / integrated software: determining the exact permissions required for a specific user can be difficult and this problem is compounded when dealing with external consultants or access for a specific integration need. Often times, the Administrator role is assigned as a simple solution that does not require an answer to the question: “What permissions does this user need?” Obviously, granting the highest level of access to your NetSuite account because it is easy is not best practice. The recommended approach involves a few steps, but can save you from headaches down the road:
Misunderstanding Global Permissions
NetSuite global permissions provide a method of assigning permissions to users that apply across all of their assigned roles. A common misconception regarding global permissions is what happens when a user’s assigned roles have permissions that conflict with their assigned global permissions. In this case, the global permission will take precedence, even if the global permission is at a lower access level. For example, John Doe has the following security setup:
- A role with the ‘Accounts’ permission at ‘Full’ access level
- A global permission for the ‘Accounts’ permission at ‘View’ access level
NetSuite configuration settings and enabled features can have a large impact on your security policies. Remember to take a look at the following settings:
Password policies: NetSuite has a few different options when determining how user passwords are managed. You can choose a strength policy to set required complexity for passwords, a minimum required length, and password expiration. It is highly recommended to stick with the ‘Strong’ password complexity requirement (set out of the box) and to set a password expiration.
Saved search and report access: there are several methods of granting access to saved searches and reports that make it very easy to mistakenly provide a user with access to data that should be restricted. This includes a few methods that circumvent the user’s assigned permissions:
1) Saved search ‘Run Unrestricted’ setting: when set allows users to see search results they are restricted from viewing given their current permission set.
2) Report ‘Access’ tab: allows specified users to view custom reports regardless of their current permission set.
Avoiding these common mistakes will allow you to have a more secure and efficient NetSuite environment. If you want to learn more about setting up security in NetSuite, take a look at our white paper: Designing NetSuite ERP Application Security, co-authored by Protiviti. NetSuite security, without proper experience, can be difficult to implement and maintain. The goal of this post is to outline three common mistakes made when configuring security in NetSuite and provide best practices for avoiding those mistakes to help your organization mitigate risk.