NetSuite Roles and Permissions : Smart Systems, Data Security and Segregation of Duties

Keeping the company’s data safe is probably very close to the top of most businesses priorities. An integral part of that mission is controlling system access.

Access to your system is controlled through NetSuite roles and permissions. They decide who gets in and who doesn’t. NetSuite gives you the tools to define exactly who gets access to what in your system.

With NetSuite this is fully customizable. Businesses can create their own roles and tweak permissions to the most granular level to ensure users are served only what they need.

But where do you begin with defining bespoke roles within your business?

In this article I will break down the fine details of what roles actually do and how you use them to group permissions in a sensible and logical way. I’ll cover the important stuff to keep in mind when you’re creating your roles and setting their permissions. If you need to tighten your setup to make things run even smoother, I also have some practical tips for you on where to start.

What Are Roles In NetSuite

A role is a set of permissions used to access the system.

A user can have multiple roles if needed and each one will have it’s own unique level of access to the NetSuite. Permissions defined on the role, dictate what records, transactions or pages can be accessed by the user.

Every NetSuite environment contains a set of Standard roles that are created with default permissions. These roles cannot be customized but can be used as a template for your own bespoke roles. The standard roles are based on common business positions such as Accountant, Marketing Assistant and Sales Manager.

Bear in mind that since you cannot make changes to the permissions of standard roles it is not usually a good idea to assign these to your users. Save new copies of the standard roles and use them instead. That way you can make changes as and when the need arises.

There are also special roles for customers and vendors to allow these external users safe access to the system.

Roles are associated with a Center. A Center is a common view of the user interface. All finance roles, for example, belong to the Accounting Center. All users of Accounting Center roles have a shared view of the quick access bar.

If you want to add an option to the quick access bar, you can make that change live for all roles in the same center simultaneously. You are also able to publish dashboards to multiple roles within the same center.

You can view all the available roles in your environment by navigating to Setup > Users/Roles > Manage Roles.

Using Permissions In NetSuite

The key characteristic of a role is the set of permissions associated with it.

Permissions are used to control what level of access a user of a role has to pages, records and transactions in NetSuite.

Permissions are set with one of the following levels.

  • None – The permission is not defined and the user has no access at all.
  • View – The user can view the page, record or transaction but nothing more.
  • Create – The user can view and also create their own.
  • Edit – The user can view, create their own and edit previously generated.
  • Full – The user has full access to the page, record or transaction including the ability to delete if it is available.

Permissions can be found on the Permissions tab of the role where they can be added or removed from one of five subtabs.

Where to update NetSuite Roles and Permissions - the 5 permissions subtabs on the role record.

New permissions can be added to the list by selecting from the drop down and then setting the required level.

Employee Center roles display all the available permissions already and only the levels can be changed.

A full downloadable list of NetSuite permissions can be found here.

You may also be interested in looking at the Global Permissions feature. This allows you to assign certain permissions directly to the employee record. This feature is not advised for most use cases but it does meet the rare need.

Show Role Differences

If you want to compare the permissions of two or more NetSuite roles there is a page that allows you to do this.

Navigate to Setup > Users/Roles > Show Role Differences. Select the base role you want to compare from and then, in the multiselect, highlight the comparison role/s.

The output will be a list of permissions showing the levels across all the chosen roles.

Identifying A Missing Permission

If a role you have created is missing a crucial piece of access, it can sometimes be difficult to identify exactly what permission is needed.

Log in to the Administrator role and access the page you are lacking the permission for. Copy the URL. Now log in to your custom role and paste the URL. You will be shown a screen that identifies the relevant permission for you.

The permission violation message in NetSuite used to identify a missing permission.

Be aware that this trick does not work for all access as not all access is governed by permissions.

The Administrator Role

All NetSuite roles and permissions are ultimately governed by the Administrator role. You are unable to add or remove permissions from the Administrator role as it holds the highest level of all permissions by default.

If you add a new feature or module to your system, the Administrator role will automatically have access to all the new permissions.

What to Consider When Setting Up NetSuite Roles And Permissions

Creating your own set of roles and defining their permissions can be a daunting task. Every company has it’s own unique way of operating so the standard roles provided by NetSuite are only going to be so much help.

There are a few things to bear in mind, however, that can help you develop your own NetSuite roles and permissions.

Segregation of Duties

Consider how to use use your roles to properly support a segregation of duties.

A simple example of this is to separate AR and AP access in to separate roles. This prevents certain individuals from having influence over both money coming in as well as going out.

You could also set up transaction approvals that are based on a users role.

Improve access control to your system by activating two factor authentication for your full access roles. Learn about NetSuite’s two factor authentication here.


If you operate a multi subsidiary environment you need to consider the question – Should roles be multi subsidiary or single subsidiary.

It will obviously makes sense for positions such as Group Accountant to have a single role with access to all subsidiaries. Other roles however might warrant more limited access.

If you choose to limit access to a single subsidiary, you can choose to manage this via the roles or via the user. For example you could have one Sales Person role that limits access to the users subsidiary. Or you could have multiple Sales Person roles with designated subsidiary access such as Sales Person UK, Sales Person FR etc.

How to define the subsidiary access on a NetSuite role.

Streamlined Access

Think carefully about the full breadth of access users will need. Wherever possible try to consolidate this down to a single role.

A poor user experience is one where multiple roles are required to complete ones daily activities.

It is sometimes the case that over time the number of roles in use at a business grows and permissions become spread across multiple for any given user. Take the time to do regular roles audits and streamline users’ access.

Employee Center Access

NetSuite offers a limited access license called an Employee Center license. This gives users access to claim expenses, log timesheets and raise purchase orders but little more.

Don’t waste full access licenses on users that only need to claim an expense once a month, for example.

Some businesses may choose to assign an Employee Center role to users with full access licenses as well. This allows for certain processes, such as tracking time, to only happen within the Employee Center. Limiting the access for specific tasks across the board allows for consistency in process training as well as fewer errors.

Perfecting Your NetSuite Roles and Permissions

Use the above information as guidelines to build out your NetSuite roles and permissions. If you are currently working through an implementation then take your time on this step. Don’t rush it.

Analyze the positions within the business and the access each one needs. Identify similarities that make sense and those that don’t. Think about the future of the work environment – Are there new subsidiaries coming on shortly? Are there new job titles on the horizon?

Once you have the roles defined, ensure permissions are thoroughly tested and schedule a review six to twelve months later. Needs will change and so will permissions.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *