<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=523033&amp;fmt=gif">

Tracking Changes in Scripts and Workflows to Improve NetSuite Security

NetSuite, named a Leader in Gartner’s Magic Quadrant for Cloud Core Financial Management Suites for Midsize, Large, and Global Enterprises in 2020, is one of the fastest-growing cloud ERP vendors for small to medium sized businesses. One reason for its popularity is the flexibility it offers users through the use of scripts and workflows.

Using scripts and workflows in NetSuite, users can perform a wide range of sophisticated tasks, including field validations, approval processes, and process automation. However, because what these tools allow users to do can affect the integrity of the data and transactions in the system, scripts and workflows should be closely monitored for any changes that can compromise NetSuite security.

This post discusses how to leverage tools within NetSuite to audit script and workflow changes, including the following:

  • Understanding the components that make up NetSuite scripts—source files, script records, and script deployment records—and the roles they play
  • How to identify when changes were made in script source files
  • How to identify changes in script records and script deployment records
  • How to identify changes in workflows
  • Maintaining security in NetSuite scripts and workflows in the future and how Fastpath can help

The Structure Of NetSuite Scripts

Before discussing how to track changes in scripts and workflows, it is important to understand the three components of scripts in NetSuite:

Script source files are JavaScript and any other files that define the business logic of the script. They are located in the SuiteScripts or SuiteBundles folders.

The script record defines when the source code should run and which lines of business logic to execute when it does.

The script deployment record identifies when the script should run as well as the users who can initiate it. Scripts cannot run without a script deployment record.

The permissions required for running scripts are:

  • Documents and Files: View
  • Perform Search: Full
  • SuiteScript: View

Identifying Changes In NetSuite Source Files

A saved search in NetSuite can be used to view all source files that have been changed, including the date the change was made and the user who made the change. However, this search will only identify the fact that changes were made; it will not identify which lines of code were changed. Users should rely on source control tools to track the specific changes made to the source code included in each release.

To create a search to view changes to the source code:

1. Create a new saved search for the 'Document' record type.


Figure 1 – Saved Search for Document record type

2. Enter the file type of the source code file in the “File Type” field. This will typically be a JavaScript file (*.js), but it is possible to filter on other file types as well.


Figure 2 – Enter File Type field

3. Add the following fields to the “Results” tab to display when the file was last changed and the user who made the change:

  • Name
  • Type (file type)
  • System Notes: Date (when the change was made)
  • System Notes: Set By (who made the change)

The search result will show the script name, when it was last changed, and the user who made the change.


Figure 3 – Saved Search results to display changes to source files

Identifying Changes In Script And Script Deployment Records

Script and script deployment records in NetSuite support system notes. System notes provide details of old and new field-level values, the date of the change, and who made the change.

To view changes to script and script deployment records: 

1. Create a new saved search using the "Script" or "Script Deployment" record type.


Figure 4 – Creating a Saved Search for Script or Script Deployment

Create a filter for System Notes and set the "File Type" field to either "Script" or "Script Deployment".


Figure 5 - Setting Save Search filter for "Script" or "Script Deployment" file types

3. Add the following fields for the "Results" tab to see details about the changes:

  • Name
  • System Notes: Context (where the change was made)
  • System Notes: Date (when the change was made)
  • System Notes: Field (the field that was changed)
  • System Notes: New Value (the new value of the field as a result of the change)
  • System Notes: Old Value (old value of the field before the change)
  • System Notes: Set by (who made the change)

Information about the changes to the script or script deployment records in your NetSuite account will be displayed.

Identifying Changes In NetSuite Workflows

Workflows do not support system notes; therefore, saved searches only identify the last time the workflow was modified. Once identified, users can open the individual workflows and look for the changes that were made. To have visibility into workflows, users must have “Full” workflow permissions and “Full” permissions to perform searches.

To find the workflows that were changed:

1. Create a new saved search using the "Workflow" record type.


Figure 6 – Setting new Saved Search to find Workflow changes

2. Add the following fields for the "Results" tab to see details about the changes:

  • Name
  • Record Type (type of record workflow runs against)
  • Release Status (current release status of the workflow)
  • Date Modified (the last date/time the workflow was modified)

A list of all workflows will be displayed along with the most recent date they were modified.


Figure 7 – Results displaying changes to workflows

3. After identifying the workflows that have been changed, open these workflows to view the details of the changes by clicking the "Edit" button next to the workflow.

The workflow will open in the Workflow Editor.

4. Edit the workflow to see the workflow details.


Figure 8 – Display workflow details

The History tab at the bottom of the details page will show all changes made to the workflow.


Figure 9 – History tab showing workflow changes

Don’t Forget About Managing User Access Risks

While keeping track of script and workflow changes is an excellent way to ensure NetSuite security, it is not the only way. Another area to monitor closely is user access. There are reviews either for looking at history (what the user has done) or potential (what the user could do). We recommend putting processes in place for reviews in three categories:

Segregation of Duties Review

Segregation of Duties (SoD), or the practice of separating the access needed to perform a business process between multiple users to limit risk, is a vital component of successfully managing access. A segregation of duties review is proactive, identifying access in ERP and other business applications by user or role and reporting conflicts or risks associated with that access, along with the specific security settings responsible for those conflicts—for example, allowing the same person to create vendors and pay them.

User Access Review and Certification

With promotions, reorganizations, turnover, and temporary duties, user access to the ERP needs to be reviewed periodically. A user access review offers supervisors or business process owners an opportunity to review ERP access assigned to their direct reports or anyone involved in a business process they own to ensure users are only provided the access privileges required to perform their job functions. After completing an access review, the supervisor or business process owner can then certify the user.

Audit Trail Review

This review focuses on changes to specific data and is ideally suited to high-value, low-frequency changes such as module configurations, where the goal is to review every change or confirm nothing has changed. This review should track user activity for critical changes to data or configuration settings, when those changes were made, and by whom so they can be further evaluated for potential problems.

Keeping An Eye On Script And Workflow Changes To Maintain NetSuite Security: How Fastpath Can Help

Maintaining a watchful eye on changes made to scripts and workflows is an essential part of maintaining security in NetSuite. In addition to identifying when changes are being made, it is strongly recommended that NetSuite developers and administrators keep a source code repository to track all changes made to source files.

Securing your NetSuite environment can be a challenging and time-consuming effort—but there are tools that can help. Fastpath offers a suite of products for NetSuite that helps identify, mitigate, and prevent unauthorized user activity:

  • Access Risk Monitor – Identify Segregation of Duties (SoD) threats and analyze who has access to critical data at a granular level. SoD tools come with pre-defined rulesets built by Fastpath’s team of certified internal auditors.
  • Audit Trail – Track user activity, noting critical changes to data and configuration settings, when, and by whom, including before and after values.
  • Identity Manager – Streamline user setup while adding approvals and audit trails into the process.
  • Security Designer – Create new roles or edit existing ones. Identify where conflicts currently exist vs. where they would exist if the proposed changes went into effect. Decide which model best fits your needs with the lowest possible risk level.
  • Risk Quantification – Quantify the financial exposure of Segregation of Duties conflicts in your ERP environment and assign a value to those risks. Delivering this critical information to auditors allows them to focus on the key areas with the greatest monetary impact on the organization.

To learn more about how to make sure your NetSuite security is as tight as possible, watch our on-demand webinar, 50 Tips and Tricks for NetSuite in 40 Minutes. Are you looking for tools like those discussed in this post to improve the security of your NetSuite application? Contact Fastpath to discuss how we can help.

This blog is part of a series that looks at how you can make sure your NetSuite security is as tight as possible. Check out these other blogs: