Step-by-Step: Diving in to Oracle NetSuite Security Roles

 “Quality means doing it right when no one is looking.”

Henry Ford

The best way to introduce in-house data security is by reviewing how data should be managed in the system. NetSuite roles are foremost on defining the kind of business data users come to have access to in the system, pretty simple, isn’t it?

Proper roles will ensure the appropriate information flow within the corporate body. In other words, they determine what you can see and how you see it. The real question is how do we make sure we have provided the right access to the right people?

• Time to read: 10 min
• Drink Pairing: Affogato
• You are a: NetSuite administrator 
• Standing ovation to Anderson Frank for his collaboration on this read

In this post we will discuss:

• The relationship between roles and data security
• How to identify if a role is not properly configured
• Guidelines on designing NetSuite roles

What are NetSuite Roles? NetSuite roles represent different user’s persona in the system. Therefore, one user may have various roles assigned to him/her, depending on the type of tasks he/she carries out in an organization. They define the access configuration in the system. That is to say, what a user will be able to see and do in the ERP.

In terms of employee responsibilities, the company structure will be strongly related to how you model your roles. Also, it is worth mentioning that every user must have a role associated with their personal information in order to get authorized access to the system. NetSuite manages two types of roles:

• Standard roles are provided by default. They are meant to give the basic guidelines for some of the most common business roles such as Controller, A/R Clerk, A/P Clerk, etc.

Pro Tip: Standard roles cannot be modified or changed in any way.

• Custom roles can be created either from a standard, as a starting point, or completely from scratch. They allow you to personalize users’ personas to truly suit your organization’s needs.

Pro Tip: Try to take advantage of the standard roles, by modifying and saving them as custom roles.

Why are NetSuite custom roles so important?

Today’s companies are heavily supported by cloud-based components to improve their operations. To ensure secure data management, it’s imperative that you can rely on your system roles. Data breaches start by not keeping information safe and clean.

In house security starts by restricting access to sensitive information from users that are unrelated to the task and should not interact with such sensitive data. This prevents internal information leaks, protecting data from inside the system. NetSuite already comes with industry cloud security standards such as local IP address access, two-factor authentication among others. 

As previously mentioned, roles are used to control the information a user has in the system. Roles should drive daily operations by making daily tasks easier and more comprehensive for the users. They must represent the duties and responsibilities that specific types of users have within the organization. 

Real-life Scenario: Business controllers should have easy access to financial reporting, but they should not have access to Human Resources records since they are designed for completely different users and purposes.

How do I know if my roles are configured correctly?

One way to comfortably know if the configuration is well-suited is to try to simulate the expected functionality, and assess it if it matches its requisites. It is worth mentioning that a good part of the role’s effectiveness will come with the Dashboard configuration. This will tailor part of the user interface for a better user experience. 

To do a quick role review, we can start by asking these questions:

• Are the dashboards displaying relevant information for the roles?
• Is the menu path accurate with the responsibilities of the roles?
• Can the role execute more tasks in the system than needed?

If your answers to the questions above are different than these (1-Yes, 2-Yes, and 3-No) you may have difficulties with your roles. No worries, keep reading to understand how to set up your NetSuite roles properly.

Before jumping into action, keep in mind two things:

• What are the basic parameters we need to follow for the specific user role?
• What are the steps we must follow when creating the role?

Let’s review first how permissions are defined in the system, the importance of centers and dashboards, and of course, how to set them up. 

Understand NetSuite Permission Usage

Whether you want to redesign or create a new role, it is important to fully understand how permission access works. First, you will find the features that can be applied to roles. Each feature selected will depend on the tasks that the role needs to perform on the platform. 

The permission sub-tab is divided into five categories:

• Transactions – Define what level of permissions are assigned to the specific transactions that have been selected (Sales Orders, Purchase Orders, etc.).
• Reports – Select the specific reports to be available for the role. This option is mostly to define the core role reports. Custom reports can grant access to roles directly from the report sharing.
• Lists – Select the record types in the system such as Customers, Vendors, Employees, etc. These will be needed to access related reports and operations (a vendor bill cannot be recorded without a vendor). 
• Setup – This section enables special permissions like Mobile Device Access, Accounting Lists, etc. This tab is not heavily used unless your business requires very specific permissions.
• Custom Records – This tab controls custom solutions. On some occasions, those solutions come in the form of bundles like Fixed Assets.

There are four levels of permission on the platform. Every role uses those levels in order to specify what a user can do with respect to a specific action. These are assigned to transactions. 

The four levels are:

• View means that a user can see the file or record.
• Create means that a user can create and see a file or record.
• Edit means that the user can create, view and edit a file or record.
• Full means that the user can create, view, edit and delete a file or record.

NetSuite Data Centers 

Each role is tied to a Center, which gives a predefined path to the data in the form of tabbed pages, they provide an already tailored structure for specific functional areas. For example, the Sales Center will be suited for sales objectives, accommodating the main tasks a salesperson would have such as order capture and forecasting.  

You can also create your own center and tabs in order to better fit your specific requirements.

Pro Tip: Use the Classical Center to get access to all tabbed pages.  

Restrictions 

Here you can define specific restrictions based on values on the employee, departments, classes, location and subsidiary records. Restrictions are helpful to manage specific constraints that the user (role) should have. This can come in handy when trying to differentiate data access to different groups in similar roles. 

Forms

Forms are really important as they are the source to retrieve information, namely customers, procurement issues, sales, etc. The forms selected will be available for the role you are working with, and you can set them as “preferred” so that they can become your default ones.

Forms are classified in: 

• Transaction – such as sales orders, purchase orders, issue returns, etc.
• Item – according to the company, items may refer to inventory, expenses, etc.
• Custom records – records tailored for special needs.
• BOM – bill of materials according to company needs.
• Time – ideal for tracking the time spent by the employee on a specific task.
• Entity – such as employee, vendor, customer, project, etc.
• CRM – access to CRM features such as campaigns, cases, tasks, phone calls, etc.
• Other records – Unclassified forms.

Preferences

Here you can select traits specific to your role and personalize things like setting credit limit warnings, the screen fonts, phone number format, to name a few. We encourage you to review all the available options, you won’t be disappointed.😉

Now that you understand how permissions and restrictions work in NetSuite, let’s work on configuring the roles.

Phase 1- Planning and building your action-checklist

1.1 Start the role planning 

Defining the start point of the roles’ structure is an essential step. We recommend starting by defining the main goal of this exercise, and how it needs to be executed.  

For example:

• Define the roles that need to be created/updated
• Apply the segregation of duties and task ownership to the roles
• Define the finishing touches, such as what is the relevant information the role needs to operate (this is not needed for security reasons but to ensure a smooth operational flow)

1.2 List the needed roles

Define segments that encapsulate the responsibilities and capabilities of employees that are required for the company’s processes. This should also consider, for example, having specific roles for vendors and third parties that may need to work with the system as well.

As a tip, start with a map of the company’s structure and the business process workflows that are followed. Using the map, try to organize the best configuration of roles for the company given the responsibilities the employees currently have. 

1.3 Segregate Duties and Task Ownership

Segregation of duties and task ownership is a brilliant concept that financial users commonly apply to their work lives. The principle is simple: have a clear definition of what someone’s role responsibilities are and the tasks attached to them.

NetSuite does not have to be any different. The use and design of NetSuite roles should be based on the segregation of duties and task ownership on a regular basis. Although designing roles takes time, due to the tasks involved, testing and adjustments, having an optimized system with roles designed to perform specific daily tasks will greatly benefit your organization. 

Segregation of duties and task ownership is important for:

• Internal control, preventing fraud.
• Clarity and ownership of internal processes for traceability.
• Productivity will be improved. 

The end result will decrease the risk of errors, role inefficiencies, and even fraud. The principle is simple, data security and privacy need to be handled correctly starting with who can see the information, who can manipulate it and why.

To illustrate, we can start with a current state analysis, let’s take the A/P manager as an example: 

What does the A/P manager do? 

1. 1. Prepare Financial Documents (Reporting) 
   2. Prepare Budgets
   3. Examination and Analysis of Data
   4. Negotiate with Vendors and Service Providers

Pro Tip: The trick is really defining the tasks that the user should perform in the system. These changes are based on industry and company internal processes.  

1.3 Proceed with the revisions

Before jumping into the 2nd phase, take the time to review the previous steps and analyze the logic applied to ensure that nothing has been missed, needs to be changed or needs to be eliminated. Repeat this step as many times as necessary.

Phase 2 – Implementation

Once you feel confident with how the role was defined, and how this fulfills the criteria established it’s time to build the role in the system. Let’s take it step by step.

Configure

Go to Setup > User/Roles > Manage roles

Start filling out the role form based on the logic previously built and its special requirements. Once we have configured the role, it’s time to test every access control to guarantee everything is working as expected.

Test 

This is a very important step in the process of configuring roles for the company. Here you will need to go through every activity the role is meant to do, trying to replicate the whole experience of the user. 

The name of the game is called “detail”. Try out every single scenario that the role may face ensuring that the capabilities of the role are well-adjusted to the criteria defined. Just to name a few considerations, always review that:

• No permission is missing 
• Roles have access to the right forms and lists
• Restrictions are correctly assigned
• No additional access is given or lacking

The goal is to ensure that users can complete their assigned tasks, but can not alter anything outside of their realm of responsibilities.  

Pro Tip: If your NetSuite account is live already, do not do any testing in the production account. The leading practice is to always develop and test in the Sandbox account first. 

Adjust 

Do not be afraid to make needed adjustments. Modifications may be needed in some cases when a system role is over or underpowered. For example, nobody should be able to write a check, self-approve it, and send it to anyone or anywhere without any control.

In short, if someone questions a change of that sort, kindly remind them that the role definitions are created for general business safety, and high industry standards that we all seek, not due to distrust. 

Repeat, test, and adjust

The more you run different scenarios, the more little details you will find, and the better your role will comply with the requirements. Don’t worry if it takes a few times to get there, success comes by trial.

NetSuite cloud infrastructure has been designed under security certifications and protocols. However, users must ensure data access control to keep the integrity of information and prevent possible issues.

Now that you have a better understanding of what roles are, the various role functionality elements, and the related data security implications; you can now go ahead and create a new role and administer role management with confidence.