About Salto: Salto's platform helps you and your team deploy, track, and manage your NetSuite customizations effortlessly. Learn more here.

‍

Introduction

As a NetSuite Administrator, it's crucial to understand the platform's security features to protect sensitive data and maintain compliance, e.g. Sarbanes Oxley (SOX). In this guide, we will explore NetSuite's key security features and provide tips for managing user access, authentication, data security, auditing, and compliance.

‍

‍

User Access Management

User access management is governed in a number of different ways in the system. NetSuite offers Administrators a hierarchical structure to manage user access. 

1. Users: Granting access to specific individuals.
2. Roles: Granting specific user roles to the users with system access. These roles define the level of access to the system and are applied to groups of users with similar responsibilities.
3. Permissions: Granting specific permissions to the user roles. Permissions can have different access levels, which may or may not limit a user’s ability to view, edit, or even delete system records.
4. Groups: Granting a specific group of users the ability to access certain parts of the system. These groups can be dynamic (reference a list of users from a NetSuite saved search) or a static list of users.

To create a new group, navigate to: Lists -> Relationships -> Groups -> New

‍

‍

Salto Suite Tip: You do have the ability to apply “Global Permissions” at the individual user level. However, it is generally not recommended to do so as it overrides the user role permissions that are used to manage user access.

‍

Authentication

NetSuite offers various authentication options to ensure only authorized users can access your organization's data. It is also important to enforce strong password policies to prevent unauthorized access. Authentication options include:

1. Username and password
2. Single sign-on (SSO)
3. Multi-factor authentication (MFA) - think two factor authentication via text/app

These authentication options are set on each user role.

‍

‍

Highly privileged roles, such as “Administrator” cannot access NetSuite via SAML Single sign-on for security purposes. Check out SuiteAnswer 31797 for confirmation.

To set up single sign-on for NetSuite, follow the instructions in SuiteAnswer 93892.

‍

Password Policies

NetSuite offers robust password policy management. The policy is accessed via Setup -> Company -> General Preferences.

You are able to establish rules around password complexity, password minimum length, password expiration, and session timeout. The NetSuite default password policy is set to “Strong” and it should not be modified.

As for password expiration, it is generally recommended that users change their password at least every 90 days or fewer. Some NetSuite features may force a user to change their password in a fewer number of days compared to your company policy, for security purposes.

‍

‍

Data Security

NetSuite uses various security measures to protect user data, including encryption and role-based access control. It is important to set up and manage data security policies to prevent unauthorized access. A few things to note:

1. Encryption: NetSuite uses encryption to protect sensitive data stored on its servers and data in transit.
2. Role-based access: Apply the principle of least privilege when creating and subsequently granting access to NetSuite user roles.
3. Data security policies: Establish policies focused on data retention, data disposal/purge and other policies that will minimize the risk of a data breach. As for password policies, data security policies are typically prescribed by a company’s internal security team and applied to all applications, including NetSuite.

‍

Auditing and Compliance

NetSuite provides auditing features to track user activities and ensure compliance with various regulations. It is important to set up and manage audit trails to keep record of user activity, especially as it relates to modification of key system areas such use scripts, workflows, features, etc.

For SuiteSuccess customers, you should have access to a menu tab that includes pre-configured administrative controls and audit functionality. Leverage this if you have access to it, otherwise you will need to configure a number of NetSuite saved searches yourself to track user activities.

You should be regularly reviewing changes to the key system areas called out above. This is typically done by reviewing saved searches that capture record changes via system notes and execution logs (for scripts).

Salto Suite Tip: Not every change captured in the system was made by a user, even when a change is associated with a user. For example, when a NetSuite managed bundle is updated in the system, NetSuite will capture changes to underlying records/objects in the bundle and record them as being made by the managed bundle owner. You will be able to reference the system time stamps to validate that the updates were made at the exact same time as the corresponding bundle update.

‍

Bundle Update Example

NetSuite Fixed Assets Management is a managed bundle and will automatically update periodically.

‍

‍

‍

Notice in the above screenshots that the managed bundle update took place between 11:56 am and 12:09 pm. The script changes were captured at 12:06 pm, so we can use the system notes to validate that the script updates were performed as part of the managed bundle update as opposed to physically updated by me.

‍

Best Practices

1. Establish clear access policies by defining user roles, permissions, and groups.
2. Apply the principle of least privilege when creating and granting access to user roles. Grant permission level “Full” intentionally and not by default. Think - should a user be able to delete this record type? If the answer is no, ensure the permission level is set to “Edit” or lower.
3. Do not use global permissions to specific users, as they override established user roles.
4. Leverage groups to restrict access to NetSuite file cabinet folders. This is often overlooked and users can access records they may not be privy to by way of the file cabinet.
5. Enable two-factor authentication (2FA) for roles not configured for SSO (where hopefully 2FA is enforced upstream).
6. Enforce strong password policies, including complexity, expiration and timeout rules. Adhere to your company’s policy.
7. Establish data retention and purge policies. Again, adhere to your company’s policy.
8. Configure audit trail monitors (unless you already have via SuiteSuccess) to track system changes.
9. Periodically review the login audit trail to check for any suspicious activity.
10.  Review deleted records and transaction numbering audit log to identify system records that have been deleted, by whom and when.

‍

‍

Final thoughts

By understanding and implementing NetSuite's security features, administrators can protect sensitive data and maintain compliance with various regulations. As always, it is important to stay up-to-date on the latest security best practices and perform regular audits to ensure your company’s data is secure, e.g. by reviewing your login audit trail periodically for any suspicious activity. If in doubt, call it out by reaching out to NetSuite support.