Chidi Okwudire IT Professional. ERP Enthusiast. NetSuite Certified (Administrator, SuiteCloud Developer II, and ERP Consultant). Celigo Certified (Level 4+). Passionate About Empowerment Through Knowledge Sharing. Always Eager to Learn.

Learn How To Effectively Monitor Dormant NetSuite Users and Roles

6 min read

saved search to detect unused roles

Detecting and managing dormant users/roles is a key control that every NetSuite administrator should have in place. The good news is that NetSuite saved searches offer the ability to implement such automated detective controls. The not-so-good news is that it is tricky to get it right, hence this article.

TL;DR

Dormant users and roles constitute security risks and often incur hidden costs. Therefore, they should be avoided.

  • The Login Audit Trail saved search is ideal for detecting dormancy but has the disadvantage of not capturing provisioned accounts/roles that have never been used.
  • The Employee saved search can be used to address the above limitation.
  • Together, these searches arm the NetSuite admin with tools to automatically detect and address dormancy in the NetSuite accounts they manage.

In this article, you’ll learn how to create these detective controls.


Introduction

A dormant user is one who has not logged into NetSuite for an extended period as per your organization’s access control policies [I]Joshua Meiri (July 2, 2015). Dormant users in NetSuite. Available at https://www.linkedin.com/pulse/dormant-users-netsuite-joshua-meiri/ [Accessed on May 23, 2021]. Similarly, a dormant role is one that a user has not logged into for an extended period. By extension, a role that is assigned to a user but has never been logged into, or a user that has been granted access but has never logged in, is considered dormant.

Dormant NetSuite users and roles should be promptly detected and handled to prevent security risks and hidden costs. Share on X

Scenarios of Interest

With my NetSuite Admin hat on, I care about the following four scenarios:

  1. A user that has never logged into NetSuite: This constitutes both a security risk and possibly unnecessary costs.
  2. A user that has not logged into NetSuite for a while, say 3 months: Such inactivity often indicates an issue e.g. a change of function, leave of absence, etc., and presents an opportunity for clean up.
  3. An active user with multiple roles one or more of which they have not used for a while: Again, this could be due to a change of function or some other reasons. Detecting it can help prevent or uncover a segregation of duties concern.
  4. An active user with multiple roles one or more of which they never logged into: Now this is the trickiest scenario to detect. Because the user in question is actively logging into other roles, it might look like all is well. However, an assigned but completely unused role is at best a waste and most likely a security concern.

A Login Audit Trail saved search can easily capture scenarios (2) and (3) since the user has logged in previously before becoming dormant. Scenarios (1) and (4) can be captured via a creative Employee saved search as I’ll show you shortly.

Note that there is one more scenario that I deliberately do not cover in this article namely: Active roles that are not assigned to any user. Admittedly, this produces noise in the roles overview page. However, it does not constitute any security risk or have any cost implications and and is thus, less interesting. You could always manually detect such roles as described here if you care to.


Using a Login Audit Trail Search to Capture Dormant Users/Roles

Here are the steps for creating a Login Audit Trail search to capture users that have not logged into NetSuite/specific roles in a given timeframe.

  1. Reports > Saved Searches > All Saved Searches > New > Search Type = Login Audit Trail
    • Name your search whatever you like e.g. “<Company Prefix> Controls – Stale Roles with Prior Activity”
  1. Under tab Criteria > Standard:
    • Employee : Login Access = true
    • Formula (Numeric) = CASE WHEN {role} = {employee.role} THEN 1 ELSE 0 END equals to 1 (This instructs NetSuite to only include audit trails for roles that are currently assigned to the user. Without this check, you might get false positives from roles the user previously had.)
    • Status = success
  1. Under tab Criteria > Summary:
    • Summary Type = Maximum
    • Field = Date
    • Description = is before 3 months ago (adjust to match your preferred duration)

The above criteria in words: Give me a list of audit trails for any role(s) currently assigned to an active user for which the most recent successful login was at least 3 months ago.

Now that we have the rows we need, we can group them by user and role and include other data we care about:

  1. Under tab Results:
    • Field = User
      • Summary Type = Group
    • Field = Role
      • Summary Type = Group
    • Field = Date
      • Summary Type = Maximum
      • Summary Label = Last Login Date

That’s it. The above search will give you all stale users/roles provided there has been at least one successful login attempt to that role.

Using an Employee Search to Capture Users/Roles Without Prior Logins

Let’s now focus our attention on the more difficult case of identifying users/roles with no prior logins.

  1. Reports > Saved Searches > All Saved Searches > New > Search Type = Employee
    • Name your search whatever you like e.g. “<Company Prefix> Controls – Employees with Unused Roles”
  1. Under tab Criteria > Standard:
    • Login Access = true
    • Roles = none of NetSuite Support Center, NetSuite Support Center (Basic) (Filter out any roles you don’t care about that could otherwise create false positives)
  1. Under tab Criteria > Summary:
    • Summary Type = Count
    • Field = Formula (Numeric)
    • Description = is greater than 0
    • Formula: COUNT(distinct {role}) - COUNT(distinct CASE WHEN {loginaudittrail.role} = {role} THEN {role} END )

The above formula is the secret sauce of this solution. Let’s break it down:

  • COUNT(distinct {role}) gets the number of roles that are currently assigned to the user.
  • COUNT(distinct CASE WHEN {loginaudittrail.role} = {role} THEN {role} END)gets the number of roles currently assigned to the user for which there has been at least one login attempt. Notice how we combine the distinct keyword and a CASE statement. I couldn’t find any explicit documentation for this approach but it is inspired by Suite Answers like Answer Id: 309933 that employ a similar approach.
  • The difference between the above two counts gives us the number of roles for which there has been no login attempt which is exactly what we want!

Once we’ve gotten the criteria right, what remains is to add appropriate summary result columns to present the data correctly:

  1. Under tab Results:
    • Field = ID
      • Summary Type = Group
    • Field = Role
      • Summary Type = Count
      • Summary Label = # Active Roles
    • Field = Formula (Numeric)
      • Summary Type = Maximum (Maximum is somewhat arbitrary; it is simply a convenient way to expose the count in the summary results view. Other summary types like Minimum will produce the same outcome)
      • Formula = COUNT(distinct CASE WHEN {loginaudittrail.role} = {role} THEN {role} END)
      • Summary Label = # Active Roles with Login Attempts
    • Field = Formula (Numeric)
      • Summary Type = Maximum
      • Formula = COUNT(distinct {role}) - COUNT(distinct CASE WHEN {loginaudittrail.role} = {role} THEN {role} END)
      • Summary Label = # Unused Roles
    • Field = Formula (Text)
      • Formula =DECODE({loginaudittrail.role}, {role}, 'Yes', 'No')
      • Custom Label = Was a login attempt from this role? (We’ll come back to this later)

That’s it! The above search will capture all users with roles that have never been used. If the # Active Roles = # Unused Roles, we can conclude that the user has never attempted to log into NetSuite.

saved search to detect unused roles
Sample results of the search for unused roles

In the example below, EMP-002 and EMP-005 have both never attempted to log into NetSuite as their number of unused roles equals their number of active roles. On the other hand, EMP-006 has two roles, one of which they have previously logged into and one that they have never logged into (We’ll learn how to tell which shortly).

Here are a few things to bear in mind:

  1. This search works using login attempts, not successful logins. So, if a user attempted unsuccessfully to log into NetSuite and it resulted in an audit trail log, that role will not show up here as an unused role. However, it will be caught by the previous search which uses the Login Audit Trail. Tweaking the search to include only successful login attempts (if at all possible) is left as an exercise to the reader.
  2. Knowing that a user has roles they’ve never used is the first step. The next logical thing is to find out which role that is. This information can be inferred as follows:
    • Drill down into the user of interest
    • The unused roles are any roles where there is no single row with the column "Was a Login Attempt for this role?" = Yes. Often, you can tell this quickly by visual inspection. However, if the list is too long, it’s faster to export it to CSV and filter.

Going back to our earlier example, to find which role EMP-006 has never logged into, we drill down into that employee. By analyzing the rows, we can easily conclude that EMP-006 has never logged into their “Approver – VP Level – SSO” role because there is no single row where "Was a Login Attempt for this role?" = Yes. It’s that easy!

Illustration of how to find which roles have never been logged into

Automating Your Detective Controls

You have the searches, great! What’s left is to employ the convenient email reminders functionality of NetSuite’s saved searches to convert them into automated controls.

  1. Under tab Email, check the following boxes:
    • Send Emails According to Schedule
    • Summarize Scheduled Emails
  2. Under tab Email > Specific Recipients, enter the recipients. Ideally, you want to use a service account that automatically creates a support ticket in whatever support system you use which can be handled by anyone on your team. This is much better than using a specific employee’s email address.
  3. Under tab Email > Schedule, specify the frequency of the email notifications.
  4. Optionally, under tab Email >> Customize, customize the email message. I usually include resolution steps/follow-up actions in this section so the recipient knows exactly what to do whenever this control fires. I find this approach effective for documenting procedures for handling controls.

If you found this article useful, share it with someone else, and be sure to subscribe to get notified of NetSuite Insights as soon as they get published. Did you also know that you can become a NetSuite Insights contributor? Learn more here!

Related Posts

Further Reading[+]

Chidi Okwudire IT Professional. ERP Enthusiast. NetSuite Certified (Administrator, SuiteCloud Developer II, and ERP Consultant). Celigo Certified (Level 4+). Passionate About Empowerment Through Knowledge Sharing. Always Eager to Learn.

2 Replies to “Learn How To Effectively Monitor Dormant NetSuite Users and Roles”

  1. Using a Login Audit Trail Search to Capture Dormant Users/Roles … does NOT capture/list all users, specifically it did NOT list/find myself (& I’m an administrator!!!!)

    1. Hi Bernie,

      Without seeing your search, it’s hard to tel why your list is not correct. But I can confirm that the approach described in this article works because I use it 🙂

      Cheers

Leave a Reply

Your email address will not be published. Required fields are marked *

×