NetSuite saved searches have a feature called “Run Unrestricted” whose behavior is often misunderstood. More importantly, there are little known security issues associated with the feature that you need to understand before using it. In this series, you’ll learn all you need to know about running searches unrestricted.
You can use the “Run Unrestricted” option to overrule any restrictions (not permissions) applied to a role and potentially expose more data than a user would normally have access to. However, there’s more to it than meets the eye so a deeper understanding is required.
NetSuite’s Permission Model
Before diving into the “Run Unrestricted” feature, it is important to understand the basics of NetSuite’s Permission Model.
- A NetSuite User can have one or more roles.
- A Role is a set of permissions governing the user’s access to NetSuite. Your role determines what functionality and data you have access to.
- A Permission has access levels that affect what a user can do the the record to which the permission applies. The access levels in increasing order of power are: None, View, Create, Edit or Full (allows deletion).
- Restrictions may be applied on top of permissions to further limit access.
- Based on this model, users with different roles accessing the same data may see different results based on the permissions and restrictions specified in their roles.
Saved Searches are one of the three main components of SuiteAnalytics – NetSuite’s collection of tools for slicing and dicing your data ultimately to facilitate sound, data-driven business decisions. [I]NetSuite. SuiteAnalytics: Discover Insights, Take Action, Accelerate Success. Available at https://www.netsuite.com/portal/products/analytics.shtml. [Accessed August 28, 2020] (Reports and Workbooks are the other main data analytics tools currently offered by NetSuite.)
As already stated, a user’s role determines what data they have access to. This fact can lead to confusion and frustration as two users can run the same saved search and see different number of rows in the output. In some situations, you want to overrule such restrictions and allow all users see the same results. One of the ways to achieve that is to apply the “run unrestricted” option to the search. This option is visible only to the Administrator role and is located under the
Results subtab of every saved search. If you don’t find it, double-check that you’re logged into the Administrator role.
What Does “Run Unrestricted” Really Do?
Here’s the official description from the NetSuite Help Center (emphasis supplied) [II]NetSuite (March 4, 2011). Defining a Saved Search. Available at https://netsuite.custhelp.com/app/answers/detail/a_id/8474 [Accessed August 28, 2020]:
Run Unrestricted option [makes] search results available to users who would normally be restricted from seeing the underlying records. Note that users without the correct permissions will still be unable to view the search results.SuiteAnswers (Answer Id: 8474)
The choice of words in the above description is deliberate. “Run Unrestricted” applies to restrictions not permissions! But what exactly does that mean?
Permissions and Restrictions Example
Let’s look at an example to clarify. This example comes from NetSuite’s article on Permissions and Restrictions which is worthy of your attention. [III]NetSuite (September 5, 2013). Permissions and Restrictions. Available at https://netsuite.custhelp.com/app/answers/detail/a_id/32509 [Accessed on August 28, 2020].
Sammy is a team manager. As the manager of a team of employees, Sammy’s “Team Manager” role might be granted the View access level for the Employees permission. This level would enable him to view, but not edit, all employee records.
But what if we want Sammy to only see the employees within his team? That’s where restrictions come into play. We can apply the Employee restriction “own and subordinates only” to Sammy’s role so he can only access the employee records of members of his team.
NetSuite offers five types of restrictions which can be applied at role level as illustrated above. The restriction types are: (1) Employee Restrictions; (2) Department Restrictions; (3) Class Restrictions; (4) Location Restrictions; and (5) Subsidiary Restrictions. Refer to SuiteAnswers (Answer Id: 32509) for more details.
Going back to our example. Suppose we’ve created an employee saved search that exposes limited data from each employee record, and we want Sammy to be able to see this information for all employees including those not on his team. We’ll simply check the “Run Unrestricted” box to overrule the employee restrictions applied to Sammy’s role. When Sammy runs that search, he will be able to see all employees. However, if he tries to click through from the search results to view the full employee record of someone who’s not on his team, he’ll be denied access because his role is restricted to viewing employees within his team. This is pretty neat as it allows us to define base restrictions at role level and overrule them on individual saved search basis.
“Run Unrestricted” Applies to Restrictions and Not to Permissions
Now here’s the crucial point. Suppose we shared the same search (with “Run Unrestricted” enabled) with Jimmy. Jimmy has a different role where Employee access level is “None”. When Jimmy runs that search, it will return zero results. “Run Unrestricted” does not help Jimmy because his role does not have the minimum required “View” access level for the Employee record.The "Run Unrestricted" option on Saved Searches applies to role restrictions and not to role permissions. Click To Tweet
So to answer the question we started off with: What does “Run Unrestricted” really do? It overrules restrictions applied to a role but still respects the permissions. Well, that’s the simple version of the story… In part 2 of this series where we’ll dig deeper and expose some anomalies as well as security concerns that you really need to understand in order to properly use the “Run Unrestricted” feature.
If you’re not yet subscribed, do so here to receive NetSuite Insights right in your inbox!
Other Stories in This Series
|↑I||NetSuite. SuiteAnalytics: Discover Insights, Take Action, Accelerate Success. Available at https://www.netsuite.com/portal/products/analytics.shtml. [Accessed August 28, 2020]|
|↑II||NetSuite (March 4, 2011). Defining a Saved Search. Available at https://netsuite.custhelp.com/app/answers/detail/a_id/8474 [Accessed August 28, 2020]|
|↑III||NetSuite (September 5, 2013). Permissions and Restrictions. Available at https://netsuite.custhelp.com/app/answers/detail/a_id/32509 [Accessed on August 28, 2020]|