Roles and permissions form the security backbone of your NetSuite account. Every user is assigned one or more roles, and each role defines exactly what that user can see, create, edit, and delete. Getting this right is essential for data security, regulatory compliance, and operational efficiency.
Understanding Roles vs. Permissions
A role is a named collection of permissions that you assign to users. Think of it as a job profile. A permission is an individual access right to a specific feature, record type, or page. Permissions have four levels:
- None – No access
- View – Can see records but not modify them
- Create – Can create new records (includes View)
- Edit – Can modify existing records (includes View and Create)
- Full – Can create, edit, and delete records
Step 1: Review Standard Roles
NetSuite includes many built-in roles like Administrator, Accountant, Sales Manager, and A/P Clerk. Before creating custom roles, review the standard ones to see if any meet your needs or can serve as a starting point.
Navigate to Setup > Users/Roles > Manage Roles to see all available roles.
Step 2: Create a Custom Role
Go to Setup > Users/Roles > Manage Roles > New. Fill in:
- Name – Descriptive name (e.g., "Regional Sales Manager – EMEA")
- Center Type – The UI layout (Classic, Accounting Center, Sales Center, etc.)
- Subsidiary Restrictions – In OneWorld, restrict the role to specific subsidiaries
- Is Web Services Only – Check if this role should only be used for API integrations
Step 3: Configure Permissions
Permissions are organized into categories on subtabs:
- Transactions – Access to sales orders, invoices, purchase orders, journal entries, etc.
- Reports – Access to financial reports, saved searches, and analytics
- Lists – Access to master data: customers, items, vendors, employees
- Setup – Access to configuration pages: company info, accounting preferences, etc.
- Custom Record – Access to custom record types you've created
For each permission, select the appropriate level (None, View, Create, Edit, Full). A good practice is to start with minimal permissions and add more as needed, rather than starting with Full and restricting.
Step 4: Set Up Record-Level Restrictions
Beyond permissions, you can restrict which specific records a role can access using:
- Subsidiary restrictions – Limit the role to data from specific subsidiaries
- Department/Class/Location restrictions – Filter records by organizational segments
- Customer/Vendor access – Restrict which customers or vendors a user can see
Step 5: Assign Roles to Users
Navigate to Setup > Users/Roles > Manage Users, edit the user, and go to the Access tab. Add the desired role(s). Each user can have multiple roles and can switch between them using the role selector in the header.
Step 6: Configure Two-Factor Authentication
For roles with elevated access (especially Administrator), enable two-factor authentication. Go to Setup > Company > Two-Factor Authentication Roles and check the roles that require 2FA.
Security Best Practices
- Principle of least privilege – Give users only the permissions they need to do their job
- Don't modify standard roles – Copy them and customize the copy. This preserves the original for reference.
- Audit regularly – Review role assignments quarterly. Remove access for departed employees immediately.
- Separate duties – The person who creates purchase orders should not be the same person who approves them
- Use role-based forms – Customize transaction forms per role to show only relevant fields
- Limit Administrator access – Only a few trusted users should have the Administrator role
- Use IP address restrictions – For sensitive roles, restrict login to specific IP addresses
Next Steps
After setting up roles, you'll want to configure approval workflows that route transactions to the right approvers based on role, and custom fields with role-based visibility to control who sees what data.
Need help designing a comprehensive security model for your NetSuite account? Contact YRK Consulting.