Table of Contents
TL;DR
Edet, the NetSuite Admin at Asoville, has a challenge: She wants a quick and easy way to see what role permissions have changed in a given time interval. NetSuite role permission overviews and saved searches do not quite offer what she needs. So, she’s created a NetSuite Role Permission Tracker which can be yours for the asking.
Tracker in Action
Watch the following clip (4:43) to understand what the Tracker is and how it works:
Here are a few things to note:
- The tracker is a Google Spreadsheet that uses only formulas and conditional highlighting so it should technically work if you download it to Excel. However, as you may know, Excel and Google Sheets are not 100% compatible. I’ve noticed the following issue during tests: Some formulas in the “Validation” tab get prefixed with a “@” when downloaded to Excel, causing them not to evaluate. So, if you go the Excel route, you’ll need to (mass) remove any spurious “@” symbols (a.k.a. “implicit intersection operator“) from the formulas. There may be other glitches that I’m not aware of; I recommend sticking to Google Sheets.
- The Tracker supports up to 26 roles out of the box. This should be more than enough to cover your active roles. Nevertheless, if you need more, it should be easy to extend it by duplicating the columns and formulas.
- When generating the role differences in NetSuite, I strongly recommend using the Administrator role as your base role for comparison as it contains all permissions exposed by NetSuite.
- Net new roles will not be captured by the tracker by default. If you want your new roles included, simply add the name of the new role(s) to the “Before” tab as illustrated in the video above. On the other hand, deleted roles should automatically show up as long as they were part of the “before” situation.
Common Use Cases
Here are a few use cases that come to mind for this Tracker. The list is not exhaustive but should give you a good idea in case you still don’t realize how useful this utility might be to you.
1. Pre-/Post-Deployment Validation
If you have a NetSuite Sandbox, you likely create customizations in your Sandbox before promoting them to Production. By definition, the Sandbox is a playground and you’ll likely experiment a bit in your Sandbox. Perhaps you made role permission changes in the process to “get something working” but some of those changes are still work-in-progress and should not be deployed to Production.
Using the Tracker, you can quickly review the permissions you’ve changed in Sandbox relative to Production and decide which ones to deploy to Production.
Post-deployment, you can also use the Tracker to validate the before and after situation and make sure that exactly what you intended was deployed.
This is my personal favorite use case for the Tracker. Especially when working in NetSuite instances of public companies (or any company that has a strong change management process), I try to make little or no role changes directly in Production. Instead, I do everything in Sandbox and release to Production via SDF, SuiteBundler, manually, or a combination of these techniques. During such cutovers, it is crucial to spot any spurious permission changes before they slip into Production as well as to confirm that the permission changes I intended to deploy were actually deployed.
A very welcome byproduct of using the Tracker is that it provides deployment evidence that can be used for role change audits or rollbacks, if necessary.
2. Periodic (Internal) Reviews
If you don’t have a Sandbox or a well-defined change management process, the Tracker is even more useful. As a NetSuite Admin, it is your responsibility, among others, to guard the environment. NetSuite’s Role/Permissions structure is one of your key defenses against unauthorized access to system data as we’ve described before. Therefore, it is in your best interest to periodically audit any changes you or others have made to your roles and permissions.
Here’s a simple way you can do that:
- Create a recurring Task in NetSuite that periodically emails you a reminder to audit your roles. Determine the frequency of this task based on how often your permission change and/or based on your audit requirements (e.g. monthly, quarterly, bi-annually, or annually). Alternatively, you could create a Role saved search that triggers an email/review only if there have been permission changes in the last x days, weeks, etc.
- Execute that task by exporting the role permissions overview (
Set up >> Users/Roles >> Show Role Difference
) and using our Tracker to detect any changes since your previous execution of the task. - Analyze any role permission changes and, if necessary, revert unintended/unauthorized changes.
- Archive the results for future reference and to serve as an incremental log of role permission changes.
Obviously, this approach is reactive instead of proactive. Being proactive is a better idea when it comes to security which is why I suggest using the pre-/post-release validation approach in combination with this one whenever feasible.
3. External Audits
If you’re an auditor, this Tracker will come in handy to compare the roles and permissions of the account you’re auditing relative to the last audit cycle.
4. Discovering New Permissions
The bi-annual NetSuite releases typically introduce new permissions. This Tracker can be used to quickly discover what permissions have been added by comparing the Administrator role before and after the NetSuite upgrade.
As an illustration, the 2021.1 release, introduced a whooping 46 new permissions!
Parting Words
Consistency is the key
It really doesn’t matter how good a tool is if you don’t use it. To make the best of this Tracker, you must use it consistently. If you do not already have one, I recommend you develop a NetSuite change management process. Without a proper change management process in place, you’ll likely have bigger issues than just keeping tabs on your role permission changes. Feel free to reach out if you need help with getting your change management process organized.
There’s more to roles than permissions
While the Tracker is effective for monitoring permissions, bear in mind that roles have other components to them such as restrictions (refer to SuiteAnswers 32509), preferences, etc. Changes to those aspects of a role will not be captured by the Tracker because they are not included in NetSuite’s role differences tool. Tracking these will require more manual effort but is definitely possible. Perhaps, in a future iteration of the Tracker, we’ll incorporate options to track some of those fields. If you’re interested, be sure to subscribe and drop us a comment describing your ideas.
The “why” is often more important than the “what”
The Tracker helps you answer the question “What has changed?”. Augmented by NetSuite’s system notes, you can then find out who changed it and when. However, often, the most important question is: “Why did it get changed?” That, my friend, is a million-dollar question and if I had a simple way to tap into your brain or the brains of the NetSuite admins before you and automatically extract the rationales for making those changes, I’d be a millionaire!
On a more serious note, you must realize that it is not enough to know what has changed. Your change management process must include a means to track reasons for changes. Unfortunately, NetSuite does a poor job in facilitating tracking rationales of role changes natively. For example, unlike other records, the role record has User Notes subtab where you could add notes. On the other hand, NetSuite’s customizable nature means that you can easily create a custom record to capture this information. Even simpler, you can extend the Tracker to capture the “why” of your role changes.
Watch out for a follow-up article in which I’ll share how to potentially use to Tracker to capture rationales of changes.
I hope you find this utility valuable. Here’s the download link if you’re not already grabbed it. It is permanently work-in-progress and I’ll be updating it based on your feedback and my evolving insights. Drop a comment and let us know how you’re using the tracker and if you have any ideas for improvement. Also, spread the word within your NetSuite circles and put a smile on someone’s face!