Best Practices for Managing User Access In NetSuite

NetSuite empowers businesses to establish the right controls to meet risk objectives, then monitor and report on the effectiveness of those controls.

In this article, we’ll go over best practices around role management, audit trails, and establishing robust authentication and password policies.

Managing NetSuite Roles

NetSuite’s role-based architecture is the foundation of the data controls available in the system. Roles determine which record types users can access and what they are able to do within those records.

Permissions and restrictions are assigned to users so they can only access the data and features required for their jobs.

When managing NetSuite roles, there are five areas that you should focus on.

1. Reviewing Standard Roles

Standard roles have been preconfigured based on the common job functions for various organizational roles. Take some time to review what permissions these roles have and how they align with the organizational roles within your business.

2. Defining a Naming Convention

Most companies use a prefix, like the company name or initials, before all custom roles to help identify them within the role list and avoid confusion when roles are assigned to new users.

3. Customizing Roles

Even though standard roles may not perfectly align with the specific requirements for your business, they are an excellent starting point for creating custom roles. It’s far more efficient to start with a standard role and make the modifications needed than it is to build a custom role from scratch.

4. Administrator Role

The administrator role has the power to add or revoke access to other administrators, and even delete all account data, so this role should be granted sparingly. Limit the administrator role to only those users who truly need it and create custom roles with more restricted access for others.

5. Monitoring Changes

Use saved searches to monitor the last login date, roles assigned to users, changes to permission levels within roles and more. Make reviewing these searches a periodic, recurring process so that you are managing access proactively instead of reactively. This can help free up unused licenses by revoking access to users who no longer need it.

Audit Trails

Audit trails are a critical tool for mitigating risk that allow finance leaders and auditors to investigate activity quickly and easily with the potential to impact security, controls or financial statements.

NetSuite provides several saved searches that allow you to monitor user access, role changes and system changes in your NetSuite environment. Make sure to familiarize yourself with these best practices for saved searches.

Viewing Audit Trail by Role

System notes provide you with a log of any changes to an object or record in date order as well as which user made that change. To view the activities performed by a certain role or roles, you can create a saved search based on system notes that will show all activities that users with that role performed within a defined period.

This is a great way to perform broad stroke audits of user activity within a defined period and more specific audits if, for example, auditors ask you to provide everything admins have done in the system.

Monitoring Access Management

NetSuite’s login audit trail automatically tracks user login activity so that you can create a saved search based on criteria including date, time, email address, user, role, IP address and login status (‘success’ or ‘fail’) for each login session. A login audit trail saved search can be used to identify users who have not logged in recently so that their access can be removed, as well as roles that are inactive and should be removed.

Tracking Role Changes

To see the changes that have been made to user roles, such as permission changes, you can create a role saved search with criteria including “permission change,” “permission change date” and “permission change level.” Though this search works well as part of a periodic access control audit, it can be especially useful for troubleshooting issues relating to permission changes since you can pinpoint all adjustments that were made at a specific date and time.

Establishing Robust Authentication and Password Policies

While NetSuite has password requirements that are always enforced by the system and cannot be changed by an administrator, NetSuite includes granular password configuration options to ensure your assets are protected — follow these best practices.

Securing Access With a Multi-Factor Authentication Layer

Multi-factor authentication (MFA) is another layer of securing user access to your NetSuite account. In addition to a username and password, a role can be configured with an additional layer of protection where users provide a verification code. The verification code can be obtained from an authenticator app or by a message sent to a mobile phone.

Using MFA requires little maintenance of administrators and there is no additional licensing cost involved. Certain roles with highly privileged permissions require using MFA in NetSuite by default, but MFA is configurable for all other users and is an improved security option worth exploring.

Setting the Password Policy

Built-in password policies support three levels of password validation for NetSuite users — strong, medium and weak. All NetSuite accounts are set to a “strong” policy by default, requiring a minimum length of ten characters and at least three of these four character types — capital letters, lowercase letters, numbers and non-alphanumeric American Standard Code for Information Interchange (ASCII) characters.

Though it is possible to reset the password policy to “medium” or “weak,” changing the password policy to less strict weakens the security of the account and is not recommended.

Enforcing Password Expiration

The Password Expiration in Days is the number of days a password is valid before a user is prompted to change it. If you want to prompt a specific employee to change their password, you can check the “Require Password Change on Next Login” box on their employee record to require them to create a new password next time they log in.

To require a password change to many users at once, you can also use a CSV import to update this option on more employee records at the same time.

Monitoring Password Audit Trails

Requests to change a password are logged on the “System Notes” subtab of an entity record. Changes are logged no matter who or what initiates the request. Administrators can view the password change information in the system notes for an entity. System notes will include information about who or what initiated the password change and when the change took place.

Conclusion

Properly managing user access in NetSuite is integral to mitigating risk and establishing effective security protocols within the system. By utilizing data controls in NetSuite roles and saved searches for audit trails, and enforcing secure password policies, you can better supervise your users and protect your business.

Need Help?

If you’d like to improve your user management in NetSuite, or want assistance to further optimize your NetSuite investment, contact us online or give us a call at 410.685.5512.