Rarely does software meet every need of a business off-the-shelf. In almost every implementation, there is going to be a need for software to be extended with custom business processes or data. To help meet this need, NetSuite provides a variety of customization options. Custom records in NetSuite provide the ability to collect information specific to the needs of your business. As custom records can often store information that might be sensitive or even financially relevant, it is important to understand how to properly secure the data stored in those custom records. In this post we take a look at the security settings that apply to custom records.

Access to Custom Record Types

Users with access to custom record types can view or modify (depending on the user’s access level) the definition of a custom record type, including the fields defined and security settings. There are three separate ways to grant access to custom record types.

1. Custom Record Types permission: assigned to users via role assignments or as a global permission. This permission supports all four access levels (view, create, edit, full) and controls the level of access a given user has to all custom record types.
2. Owners: defaults to the user who created the custom record type, but can be changed to other NetSuite users. The owner of a custom record type has full access to that specific custom record type and the ability to see a list of all custom record types (without the ability to drill down).
3. Managers: a custom record definition can have one or more managers assigned. A custom record type manager is a NetSuite user having full access to that specific custom record type and the ability to see a list of all custom record types (without the ability to drill down).

Access to Custom Record Instances

Users with access to custom record instances can view or modify (depending on the user’s access level) the individual instances of a custom record type (the data stored in the custom record type). There are two settings on the custom record type and one on the fields within the custom record type that determine how user access is granted to the custom record type instances.

1. Owners: defaults to the user who created the custom record type but can be changed to other NetSuite users. The owner of a custom record type has full access to all instances of that custom record type in any role.
2. Access Type: the access type determines what level of access users other than the owner have for instances of a custom record type. There are three possible settings:
   1. Require Custom Record Entries Permission (default): only users with the Custom Record Entries permission can access the instances of this custom record type. The Custom Record Entries permission is assigned to users via roles or as a global permission and supports four access levels (view, create, edit, full).
   2. Use Permission List: only users with a role specified on the Permissions subtab of the custom record type may access instances of this custom record type. 
   3. No Permission Required: access to instances of this custom record type are public. All users have full access.
3. Role Restrictions: restrictions specified on a given role based on record values for department, class, location, employee, and subsidiary can also be applied to custom records. When creating a custom record type field that is of type List / Record for class, department, location, employee, or subsidiary, check the ‘Apply Role Restrictions’ box to enable this setting.

Field Level Security in NetSuite

Fields added to Custom Record Types support additional security settings to further define how they can be accessed via the record, search results, or reports. Access can be controlled via role, department, or subsidiary. The following access levels are available:

1. None: field is not visible and cannot be changed
2. View: field is visible but cannot be changed
3. Edit: field is visible and can be changed
4. Run: field is visible in search and reports but cannot be changed (only applies to searches and reports)

If there is a case where multiple access levels are granted to a user via their role, department, or subsidiary, the highest access level will take precedence.

You can also specify the default access and search / reporting level for a custom field. These levels will apply to roles, departments, and subsidiaries not explicitly defined on the access subtab.

Additional Settings

1. Allow UI Access (enabled by default): if disabled, the instances of this custom record type can only be accessed programmatically via SuiteScript.
2. Allow Mobile Access (disabled by default): if enabled, instances of this custom record type are accessible on mobile devices via the NetSuite iPhone app.

Check out the NetSuite Security Matrix from Fastpath, here.