Tips to increase your NetSuite security

During this year’s Suiteworld I attended a session called “50 NetSuite Security Tips in 50 Minutes”. The presenter, Mark Polino, shared an extensive list of dos and don’ts when it comes to how to configure your NetSuite account and how to design your business processes in order to increase security.

Some of the tips were more easy and straightforward but is always good to keep in mind as a NetSuite administrator, for example to set the password policy to strong, use two-factor authentication for your users and to minimize the number of administrators in your account.

I want to share some of the tips and areas that I thought were extra helpful.

Take a risk-based approach
If you want to improve the security of your NetSuite account, do so with a risk-based approach. This means that you identify and make a list of all your potential risks and address the ones with the biggest impact first. Remember also that you do not need to do all at once. Usually you can do small things now that still contributes to that larger goal.

How to work with user roles
When you develop a role never use a standard or installed role. Instead make your own copy of that role. This allows you to adjust the role’s permission settings to better match your business processes and requirements. Also, a copied role can never be overwritten by an update (e.g. a bundle update). If you use roles that are part of a packaged solution there is always a risk that your own adjustments to that role is automatically reversed/changed when that solution gets updated.

Moreover, make sure to follow the principle of least privilege which means that you always should set the permission access level (none, view, create, edit or full) to the lowest possible level for that role and record type or process. The Show role differences page makes it easy to compare different roles and their permissions.

Inactivate user roles that are not being used in your organization. That reduces the risk of accidentally assigning the wrong role to a new user.

Global permission
Did you know that you can use something called Global Permissions to increase the permission access levels for an individual user without having to make changes to all users by changing the user role? What’s even better is that you can not only increase the permission access level to a specific record or process, you can also decrease the level for an individual user. The global permission allows more flexibility and used right it can also help to improve your NetSuite security. Keep in mind however that the global permissions do not show in the Show role differences page as exceptions. To get a full overview of your users permissions, you need to keep track of the global permissions separately in addition to the user roles.

Process to request new users or remove employees who no longer work for your organization
If you don’t already have it, make sure to develop processes internally on how to both request and terminate users in NetSuite. We sometimes see that employees that do no longer work for their organization still can have access to NetSuite for weeks, or sometimes even months, after their last working day. A good idea could be to have these processes as an integrated part of your organization’s onboarding and offboarding of employees. Make also sure that you in the process of new user requests ask the requestor about the requested role(s) of the new user. Never assign the Administrator role as an easy and quick fix.

For your existing employees, make also sure to at least annually review their access and check if their access can be removed or if they have the incorrect role assignment. For example an employee can have moved department internally but still have access to the business processes and records of the old department.

One final tips
If you want to add a permission to a customized role but don’t know what the permission is called, try and do this:

1. Log in using a role that has that permission. Copy the full URL of that record or page.
2. Change role to the one you want to customize and then paste the copied URL in your web browser.
3. NetSuite should now show you a message with the permission to add.
   
4. Customize the role and add the permission.
5. You are good to go!

If you want to know more about how you can increase your security in NetSuite or need help with your NetSuite account, do not hesitate to reach out to us at SuiteCorner.

/Simon