The first and most important step for your access controls in NetSuite is roles and permissions. NetSuite roles are sets of permissions that facilitate access to the system.
Roles can be defined in many different ways but a common method would be for them to reflect job descriptions or functional areas.
For example, all members of the Accounts Payable team probably need the same levels of access. It makes sense, therefore, to create an Accounts Payable role that they can all use to access NetSuite.
NetSuite global permissions are used when this blanket approach doesn’t work. Maybe one member of the Accounts Payable team needs access to edit Sales Invoices for a short period. You don’t need to create a whole new role for this need. Add a global permission to that user only.
Let’s take a look at how.
NetSuite Global Permissions
NetSuite global permissions is a feature that allows certain permissions to be assigned to users as well as roles.
When a user logs in, the permission set in use is a combination of the role in use plus any global permissions assigned to the employee. This allows for slight deviations from the role in use specific to the employee.
Enabling the NetSuite Global Permissions Feature
To start using Global Permissions you first need to activate the feature.
Navigate to Setup > Company > Enable Features. On the Employees tab, check the Global Permissions checkbox and click Save.
Once the feature is enabled you will see a new Global Permissions subtab on the Employee record.
Assigning Global Permissions to Users
Navigate to the relevant users employee record using the Administrator role. You can search for them using the global search bar or view list via Lists > Employees > Employees.
On the Access tab there will a subtab called Global Permissions. Here you can add global permissions to the permissions sublist.
Select the relevant permission and define the Level of access. Access levels are as follows –
- View – The user can view the page, record or transaction but nothing more.
- Create – The user can view and also create their own.
- Edit – The user can view, create their own and edit previously generated.
- Full – The user has full access to the page, record or transaction including the ability to delete if it is available.
Once global permissions have been added, Save the employee record.
Be aware, global permissions will not work on their own as a permission set. All users must also have a suitable role assigned. When there is a conflict between the permission set on a role and the global permission, the global permission always takes precedence, even when the global permission is a lower access level.
If a user is assigned an Administrator role then global permissions will have no effect. It is not possible to downgrade the access level of an Administrator.
Limitations and Considerations of NetSuite Global Permissions
Not all permissions are available as global permissions. They should be used as rare exceptions so there shouldn’t be a need to select the more obscure access rights.
You can access a list of all available permissions in NetSuite here. Use this list to carefully and suitably build out your roles so the NetSuite global permissions only need to be used for rare scenarios.
Many businesses will not like the use of the global permissions feature. For one thing, you may find internal audit teams find this feature voids the segregation of duties policy. If access roles have been designed with this in mind, the use of global permissions will completely nullify this effort.
If you do choose to use the NetSuite global permissions feature, ensure it is included in access audits. When users have roles removed it is far too easy to forget to also check the global permissions tab.