Oracle NetSuite, recently named a Leader in Forrester Wave reports, determines a user's access to data within the system by controlling the permissions assigned to user roles. Defining custom user roles in Oracle NetSuite is an essential part of user access security. However, creating these custom roles can be difficult. Fastpath's NetSuite Security Designer lets you simulate changes to your security roles and test them prior to deployment, saving IT departments time-costly cycle times and allowing security professionals to make risk-informed design decisions for role and privilege assignments.
In this blog post, we will cover:
- Standard and custom roles in NetSuite
- Using Fastpath's NetSuite Security Designer
- Creating a security model Analyzing the risks
- Reviewing and deploying
- How Fastpath can help
The Purpose of Standard and Custom Roles in NetSuite
Role permissions tell a software application which actions a role can or cannot take. For instance, executive management typically does not have (or, more accurately, should not have) the ability to create or pay vendors. As a result, one of the standard roles gives view permissions for the CEO but limits that role's ability to edit or create little else in the system.
The primary goal of role design is to minimize the potential for Segregation of Duties risk. Segregation (or Separation) of Duties (SoD) ensures that no person or role can conduct both sides of a financial transaction, such as creating a vendor and then paying that vendor without oversight. A missed SoD conflict can open the door to theft—an expensive proposition since businesses lose approximately $400 billion each year to theft. Theft resulting from SoD risk can have serious consequences:
- In 2016, an employee of an agricultural distributor was convicted of defrauding the company of $6 million over ten years by billing the company for deliveries that never occurred to companies that never existed.
- An employee of a national bank was convicted of embezzling over $14 million over seven years by offering clients a non-existent tax-free wealth management account.
- In 2013, the comptroller of the city of Dixon, Illinois, was convicted of stealing more than $53 million from the city over 20 years.
NetSuite comes with standard roles with predefined permissions. Most of these roles correspond to familiar employee positions, such as Accountant, Bookkeeper, CEO/CFO, and Developer. There are also out-of-the-box, standard roles for users, including vendors, partners, and customers who are provided with account access.
Since standard roles cannot be modified within NetSuite, the company recommends that administrators use standard roles as templates, creating customized roles before assigning them to users. These customized roles can then be edited as needed, even after the role has been assigned. With SoD as a concern when creating custom roles, it is important to analyze potential risks before changing role permissions in your NetSuite production system.
Simplifying the Task of Role Design in NetSuite with Fastpath's Security Designer
Fastpath's Security Designer is a powerful tool that makes custom role creation in NetSuite fast and easy. Using Security Designer, administrators can model various custom roles, analyze each model's risk, and choose the optimal role to be placed in production.
There are three steps involved in using Fastpath's NetSuite Security Designer:
- Creating a security model – Make changes to NetSuite security roles
- Analyzing the risk of the new model – Analyze the potential risk caused by implementing these changes
- Reviewing and Deploying – Review the individual changes made to the roles, deploy them in NetSuite, and set the security model status to deployed
When you open Security Designer for NetSuite, you see a list of existing security models. Each model displays the name of the model, the user who created it, the date and time it was created, and the status.
The status of a model can be set to one of four possible values:
- Pending Analysis – The security model is in the queue to be analyzed
- Analyzing – The security model is being analyzed to determine changes and potential risk
- Ready – The analysis has finished and the security model ready for review
- Deployed – The security model has been deployed to the NetSuite environment
Creating a Security Model
A security model is a collection of NetSuite roles, and these roles are made up of subsidiaries, users, and permissions that are assigned to that role. When creating a new security model, start with the collection of NetSuite roles that have been loaded into Fastpath Assure.
You can create different models in Security Designer and then change the security settings of each model. New models are added to the list of existing roles.
Figure 1 – Editing roles in Fastpath's NetSuite Security Designer
Select a role you would like to modify. Security Designer then displays the various components of the role. You can add or remove any of the role components and adjust the access levels (view, create, edit, full) to change the permission settings of each component.
When you are finished editing a role, save the security model and initiate the analysis.
Analyzing the Risk of the New Model
The next step is to analyze the security model to test for segregation of duties conflicts. The status changes from "Pending Analysis" to "Analyzing" to "Ready," which indicates the analysis is complete and the security model is ready for review.
The analysis displays the changes that were made to the NetSuite roles that existed in the Fastpath Assure platform when the analysis was performed. The analysis also identifies the security roles and access conflicts of the model you edited and compares them to the roles running in your production environment.
Figure 2 – Showing the results of security analysis in Fastpath's NetSuite Security Designer
The following indicators show whether the new roles changed:
- Existing – The number of conflicts that existed prior to making changes to the role
- New – The number of new conflicts introduced by the changes
- Removed – The number of conflicts removed by the changes
- Total – The total number of conflicts as result of the changes that were made
Reviewing and Deploying Changes to NetSuite
After the analysis is complete, review the results panel and decide whether you want to keep the changes.
If the analysis shows the changes are not insufficient, you can make additional changes to the security model or delete the model completely and start over.
When you are satisfied that the changes pose minimal SoD and access risks, you must manualy deploy the models in NetSuite using NetSuite’s interface. Once this task has been completed, set the status for the role in Security Designer to "Deployed".
How Fastpath Can Help
Creating custom roles in your NetSuite environment requires attention to detail to ensure that access and SoD risk is minimized while still providing sufficient access for employees to complete their jobs. Fastpath's Security Designer for NetSuite helps streamline the process and lets you analyze the risks and make informed decisions before moving the roles into production.
Fastpath offers a suite of products for NetSuite to help identify, mitigate, and prevent unauthorized user activity, including: Access Risk Monitor, Audit Trail, Identity Manager, Security Designer, and Risk Quantification.
Download the eBook, Top Ten Most Requested Reports in Fastpath Assure, and see how Fastpath can help your company.