Understanding NetSuite’s Security Features

Written by
Sonny Spencer, BFP, ACA
Director of Finance Operations
June 11, 2023
min read

Table of Contents

View all guides


Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

This is some text inside of a div block.


As a NetSuite Administrator, it's crucial to understand the platform's security features to protect sensitive data and maintain compliance, e.g. Sarbanes Oxley (SOX). In this guide, we will explore NetSuite's key security features and provide tips for managing user access, authentication, data security, auditing, and compliance.

Experience the Ease & Confidence of NetSuite Customizations with Salto

User Access Management

User access management is governed in a number of different ways in the system. NetSuite offers Administrators a hierarchical structure to manage user access. 

  1. Users: Granting access to specific individuals.
  2. Roles: Granting specific user roles to the users with system access. These roles define the level of access to the system and are applied to groups of users with similar responsibilities.
  3. Permissions: Granting specific permissions to the user roles. Permissions can have different access levels, which may or may not limit a user’s ability to view, edit, or even delete system records.
  4. Groups: Granting a specific group of users the ability to access certain parts of the system. These groups can be dynamic (reference a list of users from a NetSuite saved search) or a static list of users.

To create a new group, navigate to: Lists -> Relationships -> Groups -> New

Screen shot of NetSuite create group function that allows for dynamic or static groups

Salto Suite Tip: You do have the ability to apply “Global Permissions” at the individual user level. However, it is generally not recommended to do so as it overrides the user role permissions that are used to manage user access.


NetSuite offers various authentication options to ensure only authorized users can access your organization's data. It is also important to enforce strong password policies to prevent unauthorized access. Authentication options include:

  1. Username and password
  2. Single sign-on (SSO)
  3. Multi-factor authentication (MFA) - think two factor authentication via text/app

These authentication options are set on each user role.

Screen shot of NetSuite authentication options on user roles

Highly privileged roles, such as “Administrator” cannot access NetSuite via SAML Single sign-on for security purposes. Check out SuiteAnswer 31797 for confirmation.

To set up single sign-on for NetSuite, follow the instructions in SuiteAnswer 93892.

Password Policies

NetSuite offers robust password policy management. The policy is accessed via Setup -> Company -> General Preferences.

You are able to establish rules around password complexity, password minimum length, password expiration, and session timeout. The NetSuite default password policy is set to “Strong” and it should not be modified.

As for password expiration, it is generally recommended that users change their password at least every 90 days or fewer. Some NetSuite features may force a user to change their password in a fewer number of days compared to your company policy, for security purposes.

Screen shot of NetSuite password policy options with some recommended values - these should adhere to your own internal password policy, e.g. if your internal policy requires a minimum length of 15 characters then ensure NetSuite also uses at least 15 characters

Data Security

NetSuite uses various security measures to protect user data, including encryption and role-based access control. It is important to set up and manage data security policies to prevent unauthorized access. A few things to note:

  1. Encryption: NetSuite uses encryption to protect sensitive data stored on its servers and data in transit.
  2. Role-based access: Apply the principle of least privilege when creating and subsequently granting access to NetSuite user roles.
  3. Data security policies: Establish policies focused on data retention, data disposal/purge and other policies that will minimize the risk of a data breach. As for password policies, data security policies are typically prescribed by a company’s internal security team and applied to all applications, including NetSuite.

Auditing and Compliance

NetSuite provides auditing features to track user activities and ensure compliance with various regulations. It is important to set up and manage audit trails to keep record of user activity, especially as it relates to modification of key system areas such use scripts, workflows, features, etc.

For SuiteSuccess customers, you should have access to a menu tab that includes pre-configured administrative controls and audit functionality. Leverage this if you have access to it, otherwise you will need to configure a number of NetSuite saved searches yourself to track user activities.

You should be regularly reviewing changes to the key system areas called out above. This is typically done by reviewing saved searches that capture record changes via system notes and execution logs (for scripts).

Salto Suite Tip: Not every change captured in the system was made by a user, even when a change is associated with a user. For example, when a NetSuite managed bundle is updated in the system, NetSuite will capture changes to underlying records/objects in the bundle and record them as being made by the managed bundle owner. You will be able to reference the system time stamps to validate that the updates were made at the exact same time as the corresponding bundle update.

Bundle Update Example

NetSuite Fixed Assets Management is a managed bundle and will automatically update periodically.

Screenshot of FAM managed bundle update confirmation with start and end date and time

Screenshot of FAM script that shows that I made the script changes despite the fact they were pushed automatically as part of the managed bundle update

Notice in the above screenshots that the managed bundle update took place between 11:56 am and 12:09 pm. The script changes were captured at 12:06 pm, so we can use the system notes to validate that the script updates were performed as part of the managed bundle update as opposed to physically updated by me.

Best Practices

  1. Establish clear access policies by defining user roles, permissions, and groups.
  2. Apply the principle of least privilege when creating and granting access to user roles. Grant permission level “Full” intentionally and not by default. Think - should a user be able to delete this record type? If the answer is no, ensure the permission level is set to “Edit” or lower.
  3. Do not use global permissions to specific users, as they override established user roles.
  4. Leverage groups to restrict access to NetSuite file cabinet folders. This is often overlooked and users can access records they may not be privy to by way of the file cabinet.
  5. Enable two-factor authentication (2FA) for roles not configured for SSO (where hopefully 2FA is enforced upstream).
  6. Enforce strong password policies, including complexity, expiration and timeout rules. Adhere to your company’s policy.
  7. Establish data retention and purge policies. Again, adhere to your company’s policy.
  8. Configure audit trail monitors (unless you already have via SuiteSuccess) to track system changes.
  9. Periodically review the login audit trail to check for any suspicious activity.
  10.  Review deleted records and transaction numbering audit log to identify system records that have been deleted, by whom and when.

Final thoughts

By understanding and implementing NetSuite's security features, administrators can protect sensitive data and maintain compliance with various regulations. As always, it is important to stay up-to-date on the latest security best practices and perform regular audits to ensure your company’s data is secure, e.g. by reviewing your login audit trail periodically for any suspicious activity. If in doubt, call it out by reaching out to NetSuite support.

Written by
Sonny Spencer, BFP, ACA

Sonny is a seasoned NetSuite veteran, with more than 7 years experience implementing NetSuite and architecting NetSuite solutions for a wide variety of public and private companies, on a global scale. He leverages his background both as a Chartered Accountant and Certified NetSuite Administrator to design and build NetSuite solutions that solve real world problems. Sonny is an active member of the NetSuite community, participating in local NetSuite meetups, NetSuite forums and groups focused on financial system optimization.

Written by