Tracking Changes in Scripts and Workflows to Improve NetSuite Security
NetSuite, named a Leader in Gartner’s Magic Quadrant for Cloud Core Financial Management Suites for Midsize, Large, and Global Enterprises in 2020, is one of the fastest-growing cloud ERP vendors for small to medium sized businesses. One reason for its popularity is the flexibility it offers users through the use of scripts and workflows.
Using scripts and workflows in NetSuite, users can perform a wide range of sophisticated tasks, including field validations, approval processes, and process automation. However, because what these tools allow users to do can affect the integrity of the data and transactions in the system, scripts and workflows should be closely monitored for any changes that can compromise NetSuite security.
This post discusses how to leverage tools within NetSuite to audit script and workflow changes, including the following:
- Understanding the components that make up NetSuite scripts—source files, script records, and script deployment records—and the roles they play
- How to identify when changes were made in script source files
- How to identify changes in script records and script deployment records
- How to identify changes in workflows
- Maintaining security in NetSuite scripts and workflows in the future and how Fastpath can help
The Structure Of NetSuite Scripts
Before discussing how to track changes in scripts and workflows, it is important to understand the three components of scripts in NetSuite:
The script record defines when the source code should run and which lines of business logic to execute when it does.
The script deployment record identifies when the script should run as well as the users who can initiate it. Scripts cannot run without a script deployment record.
The permissions required for running scripts are:
- Documents and Files: View
- Perform Search: Full
- SuiteScript: View
Identifying Changes In NetSuite Source Files
A saved search in NetSuite can be used to view all source files that have been changed, including the date the change was made and the user who made the change. However, this search will only identify the fact that changes were made; it will not identify which lines of code were changed. Users should rely on source control tools to track the specific changes made to the source code included in each release.
To create a search to view changes to the source code:
1. Create a new saved search for the 'Document' record type.
Figure 1 – Saved Search for Document record type
Figure 2 – Enter File Type field
3. Add the following fields to the “Results” tab to display when the file was last changed and the user who made the change:
- Type (file type)
- System Notes: Date (when the change was made)
- System Notes: Set By (who made the change)
The search result will show the script name, when it was last changed, and the user who made the change.
Figure 3 – Saved Search results to display changes to source files
Identifying Changes In Script And Script Deployment Records
Script and script deployment records in NetSuite support system notes. System notes provide details of old and new field-level values, the date of the change, and who made the change.
To view changes to script and script deployment records:
1. Create a new saved search using the "Script" or "Script Deployment" record type.
Figure 4 – Creating a Saved Search for Script or Script Deployment
Create a filter for System Notes and set the "File Type" field to either "Script" or "Script Deployment".
Figure 5 - Setting Save Search filter for "Script" or "Script Deployment" file types
3. Add the following fields for the "Results" tab to see details about the changes:
- System Notes: Context (where the change was made)
- System Notes: Date (when the change was made)
- System Notes: Field (the field that was changed)
- System Notes: New Value (the new value of the field as a result of the change)
- System Notes: Old Value (old value of the field before the change)
- System Notes: Set by (who made the change)
Information about the changes to the script or script deployment records in your NetSuite account will be displayed.
Identifying Changes In NetSuite Workflows
Workflows do not support system notes; therefore, saved searches only identify the last time the workflow was modified. Once identified, users can open the individual workflows and look for the changes that were made. To have visibility into workflows, users must have “Full” workflow permissions and “Full” permissions to perform searches.
To find the workflows that were changed:
1. Create a new saved search using the "Workflow" record type.
Figure 6 – Setting new Saved Search to find Workflow changes
2. Add the following fields for the "Results" tab to see details about the changes:
- Record Type (type of record workflow runs against)
- Release Status (current release status of the workflow)
- Date Modified (the last date/time the workflow was modified)
A list of all workflows will be displayed along with the most recent date they were modified.
Figure 7 – Results displaying changes to workflows
3. After identifying the workflows that have been changed, open these workflows to view the details of the changes by clicking the "Edit" button next to the workflow.
The workflow will open in the Workflow Editor.
4. Edit the workflow to see the workflow details.
Figure 8 – Display workflow details
The History tab at the bottom of the details page will show all changes made to the workflow.
Figure 9 – History tab showing workflow changes
Don’t Forget About Managing User Access Risks
While keeping track of script and workflow changes is an excellent way to ensure NetSuite security, it is not the only way. Another area to monitor closely is user access. There are reviews either for looking at history (what the user has done) or potential (what the user could do). We recommend putting processes in place for reviews in three categories:
Separation of Duties Review
Separation of Duties (SoD), or the practice of separating the access needed to perform a business process between multiple users to limit risk, is a vital component of successfully managing access. A segregation of duties review is proactive, identifying access in ERP and other business applications by user or role and reporting conflicts or risks associated with that access, along with the specific security settings responsible for those conflicts—for example, allowing the same person to create vendors and pay them.
User Access Review and Certification
With promotions, reorganizations, turnover, and temporary duties, user access to the ERP needs to be reviewed periodically. A user access review offers supervisors or business process owners an opportunity to review ERP access assigned to their direct reports or anyone involved in a business process they own to ensure users are only provided the access privileges required to perform their job functions. After completing an access review, the supervisor or business process owner can then certify the user.
Audit Trail Review
This review focuses on changes to specific data and is ideally suited to high-value, low-frequency changes such as module configurations, where the goal is to review every change or confirm nothing has changed. This review should track user activity for critical changes to data or configuration settings, when those changes were made, and by whom so they can be further evaluated for potential problems.
Keeping An Eye On Script And Workflow Changes To Maintain NetSuite Security: How Fastpath Can Help
Maintaining a watchful eye on changes made to scripts and workflows is an essential part of maintaining security in NetSuite. In addition to identifying when changes are being made, it is strongly recommended that NetSuite developers and administrators keep a source code repository to track all changes made to source files.
Securing your NetSuite environment can be a challenging and time-consuming effort—but there are tools that can help. The Fastpath platform helps identify, mitigate, and prevent unauthorized user activity:
Identity: Identify and mitigate user access risk across your business applications. ARM comes with built-in rulesets that can be used to identify and mitigate segregation of duties (SoD) and sensitive access (SA) risks across multiple applications.
Access Control: Identify and mitigate user access risk across your business applications. ARM comes with built-in rulesets that can be used to identify and mitigate segregation of duties (SoD) and sensitive access (SA) risks across multiple applications.
Automated Certifications: Identify and mitigate user access risk across your business applications. ARM comes with built-in rulesets that can be used to identify and mitigate segregation of duties (SoD) and sensitive access (SA) risks across multiple applications.
Change Tracking: Identify and mitigate user access risk across your business applications. ARM comes with built-in rulesets that can be used to identify and mitigate segregation of duties (SoD) and sensitive access (SA) risks across multiple applications.
Are you looking for tools like those discussed in this post to improve the security of your NetSuite application? Contact Fastpath to discuss how we can help.