🔐 Security Checklist

Security Roles & Permissions Checklist

A comprehensive checklist for configuring NetSuite security. Covers role-based access control, separation of duties (SoD), least privilege principle, and audit compliance—the #1 audit finding area in NetSuite implementations.

Checklist Items

Phases

636

NS Permissions

🚨 Principle of Least Privilege

Grant users access to only what they need, nothing more. Never copy the Administrator role or rely on standard NetSuite roles without review. Standard roles often include full permission to sensitive data.

NetSuite Role Hierarchy

flowchart TB subgraph Admin["Administrator Tier"] A[Administrator] B[Full Access] end subgraph Manager["Manager Tier"] C[Controller] D[Sales Manager] E[Operations Manager] end subgraph Staff["Staff Tier"] F[A/P Clerk] G[A/R Clerk] H[Sales Rep] I[Warehouse Staff] end subgraph Restricted["Restricted Tier"] J[Employee Self-Service] K[Customer Center] L[Vendor Center] end Admin --> Manager --> Staff --> Restricted style Admin fill:#fee2e2,stroke:#ef4444 style Manager fill:#fef3c7,stroke:#f59e0b style Staff fill:#dcfce7,stroke:#22c55e style Restricted fill:#dbeafe,stroke:#3b82f6

Phase 1 of 6

Role Planning

Define your role strategy before creating any custom roles. Map job functions to permissions.

💡 Never Modify Standard Roles

You can't modify standard NetSuite roles. Always create a custom copy of any standard role before assigning it, so you can customize it for your organization's specific needs.

🎯 Role Planning

Document all job functions requiring NetSuite access — List every job title/function: AP Clerk, AR Clerk, Sales Rep, Warehouse Worker, Controller, CFO, Admin, etc.
Map job functions to required record access — For each role, document: What records they need to View, Create, Edit, Delete. What reports they need.
Identify Administrator requirements — Limit Admin role to 2-3 people MAX. Admins can grant access to anyone and delete your entire account.
Review standard NetSuite roles for starting points — Setup → Users/Roles → Manage Roles. Review A/P Clerk, A/R Clerk, Sales Rep, etc. as templates.
Define role naming convention — E.g., "[Company] - [Function] - [Level]" → "ACME - AP - Clerk", "ACME - AP - Manager"
Document subsidiary restrictions (OneWorld) — Determine which roles need access to which subsidiaries. Most roles should be restricted to specific subs.
Identify external user requirements — Customer Center, Vendor Center, Partner Center roles. These use different license types.

Phase 2 of 6

Role Configuration

Create and configure custom roles following the least privilege principle.

Common Role Templates

A/P Clerk

Transactional

Enters vendor bills, processes payments. Cannot approve own entries.

Vendor Bills Payments Vendors Approve Bills

A/R Clerk

Transactional

Creates invoices, applies payments. Cannot issue credit memos alone.

Invoices Customer Payments Customers Credit Memos

Controller

Manager

Full financial visibility, approval authority. Cannot modify roles or create users.

All Financial Records Journal Entries Approve Transactions Manage Roles

⚙️ Role Configuration

Create custom roles by copying standard roles — Setup → Users/Roles → Manage Roles → New. Start from closest standard role, then customize.
Set permission levels appropriately — Full > Edit > Create > View > None. Use "View Own" / "Edit Own" for personal records only.
Configure subsidiary restrictions (OneWorld) — On role record, set Subsidiary Restrictions. Default to most restrictive, then expand as needed.
Set up role centers/dashboards — Customize home dashboard for each role. Show only relevant KPIs, reminders, and shortcuts.
Configure form restrictions — Limit which custom forms each role can use. Prevents accidental use of wrong transaction forms.
Remove unnecessary menu items — Use "Hide Menu" permission to simplify UI. Less clutter = fewer user errors.
Test each role in a sandbox — Log in as test user with each role. Verify they can do their job and ONLY their job.
Document role configurations — Export role permissions to spreadsheet. Auditors want proof, not promises.

Phase 3 of 6

Separation of Duties (SoD)

Implement controls to prevent fraud and errors. The #1 audit finding area.

🚨 NetSuite Does NOT Enforce SoD by Default

It's on the NetSuite administrator to separate conflicting duties. Fraud typically occurs when three conditions are present: motive, rationalization, and opportunity. SoD removes the opportunity.

Critical SoD Conflicts to Prevent

Function A	Function B	Risk	Control
Create Vendor	Pay Vendor Bills	HIGH	Could create fake vendor and pay themselves
Create Customer	Issue Credit Memos	HIGH	Could create fake customer and issue fraudulent credits
Create Journal Entries	Approve Journal Entries	HIGH	Could manipulate financials without oversight
Enter Vendor Bills	Approve Vendor Bills	HIGH	Could enter and approve fictitious bills
Manage Inventory	Record Inventory Adjustments	MEDIUM	Could conceal inventory theft
Create Sales Orders	Fulfill Sales Orders	MEDIUM	Could ship to unauthorized addresses

⚖️ Separation of Duties

Separate vendor master from vendor payments — Users who create vendors should NOT be able to both enter and pay bills.
Separate customer master from credit memos — Users who create customers should NOT be able to issue credit memos or refunds.
Separate JE creation from JE approval — Implement approval workflow for journal entries. No user should approve their own entries.
Separate bill entry from bill approval — AP clerks enter bills; managers or Controller approve. Use approval workflow.
Separate PO creation from receiving — Purchasers create POs; warehouse staff receive. Prevents phantom receipt fraud.
Separate bank reconciliation from cash handling — AR staff who apply payments should NOT reconcile bank accounts.
Implement approval workflows for high-value transactions — POs > $X, expenses > $Y, discounts > Z% require manager approval.
Create saved search to detect SoD violations — Search for users with conflicting permissions. Review monthly and log exceptions with business approval.
Document SoD exceptions with business justification — Small companies may need exceptions. Document the risk, mitigation, and approval.

Phase 4 of 6

User Assignment

Assign users to roles and configure authentication settings.

⚠️ Multiple Roles Per User

Users can have multiple roles but should use the most restrictive role for daily work. "Role switching" should be the exception, not the rule. Audit logs show which role was active for each action.

👤 User Assignment

Create user records with proper employee links — Setup → Users/Roles → Manage Users. Link to Employee record for HR data and expense reports.
Assign appropriate role(s) to each user — Assign primary role (for daily work) and any secondary roles needed. Verify SoD compliance.
Configure Two-Factor Authentication (2FA/MFA) — Setup → Company → Two-Factor Authentication. Mandatory for Administrator and financial roles.
Set password policies — Setup → Company → Login Restrictions. Minimum length, complexity, expiration, lockout after failed attempts.
Configure IP address restrictions (if applicable) — Restrict admin/sensitive roles to corporate IP ranges. Setup → Company → Login Restrictions.
Test user login and role access — Have each user log in and confirm they can access required functions. Document any issues.

Phase 5 of 6

Audit & Compliance

Set up audit logging, reporting, and compliance documentation.

🎯 Auditors Want Proof, Not Promises

Use System Notes, login records, and role permissions exports to show who had access and why. Be prepared to explain any SoD exceptions with documented business justification and compensating controls.

📋 Audit & Compliance

Enable audit trail for critical records — System Notes track all changes. Verify enabled for: Customers, Vendors, Items, Transactions, GL.
Create login audit saved search — Track who logged in, when, from what IP. Search on Login Audit record type.
Create role assignment audit search — List all users and their assigned roles. Use for quarterly access reviews.
Export role permissions matrix — Setup → Users/Roles → Manage Roles → [Role] → Permissions. Export to spreadsheet for auditor review.
Document SoD controls and exceptions — Create SoD matrix showing which roles have which conflicting permissions and why.
Set up failed login alerts — Create saved search to identify repeated failed login attempts. May indicate brute force attack.
Schedule quarterly access reviews — Calendar reminders to review: role assignments, SoD exceptions, terminated employee access removal.

Phase 6 of 6

Ongoing Maintenance

User lifecycle management and continuous security hygiene.

User Lifecycle Security

flowchart LR A[New Hire] --> B[Create User] B --> C[Assign Role] C --> D[Enable Access] D --> E[Quarterly Review] E --> F{Still Needed?} F -->|Yes| E F -->|Role Change| G[Modify Role] G --> E F -->|Terminate| H[Disable Access] H --> I[Remove Roles] I --> J[Inactivate User] style A fill:#dcfce7,stroke:#22c55e style H fill:#fee2e2,stroke:#ef4444 style J fill:#f3f4f6,stroke:#6b7280

🔄 Ongoing Maintenance

Establish new user provisioning process — HR notifies IT → IT creates user → Manager approves role → User trained → Access granted.
Establish termination deprovisioning process — HR notifies IT IMMEDIATELY. Enter termination date, remove roles, uncheck "Give Access", inactivate record.
Create role change request process — Manager requests → SoD check → Approval → Implementation → Documentation.
Schedule quarterly security audits — Q1: Review role assignments. Q2: Audit permissions vs job duties. Q3: Verify SoD. Q4: Update documentation.
Review roles after NetSuite upgrades — New features may require new permissions. New standard roles may be better starting points.

Sources & References

Oracle NetSuite — Standard Roles Permissions Table
Netwrix — NetSuite Roles & Permissions Guide
Salto — NetSuite Roles Practical Guide
Trajectory — NetSuite Security Roles Deep Dive
Cloud Doing Good — Roles and Permissions Guide