In Part 1 of this series, we reviewed NetSuite’s permission model and I explained that the “Run Unrestricted” saved search mode applies to restrictions and not permissions. Well, that’s not always the case. The
Transaction record is a notable exception to that rule as I explain in this article.
“Run Unrestricted” usually applies to role restrictions. However, for the
Transaction record, this option overrules permissions! Ironically, this exception does not apply to the
System Notes record where it would make perfect sense.
Running a Transaction Search Unrestricted
Let’s jump right into an example. Edet, the NetSuite Admin at Asoville Inc., has created a saved search of all transactions as requested by her finance team to facilitate analysis. She’s shared this search with Amina, the A/R Analyst, and Tim, the A/P Analyst.
When Amina runs this search, she only sees transactions related to receivables – Sales Orders, Invoices, Customer Payments, etc. but not other transactions such as those related to payables.
Tim, on the other hand, runs the search and see only transactions related to payables like Bills and Bill Payments.
Edet, working from the Administrator role sees all transactions as expected. So far, nothing unusual. This behavior is consistent with NetSuite’s permission model. For Tim and Amina to see all transactions in the search results, they should be granted at least View access to each transaction type.
However, before going ahead to modify the permissions of both roles, Edet decides to enable the “Run Unrestricted” option on the search, simply out of curiosity. She’s read the first part of this series and doesn’t expect this option to make any difference but trying doesn’t hurt… Surprise, surprise: With “Run Unrestricted” checked, both Tim and Amina are now able to see all transactions!
(Undocumented) Feature or Bug?
While this accidental discovery is good news for the finance team at Asoville, Edet is puzzled just as you possibly are right now. She revisits the description of “Run Unrestricted” [I]NetSuite (March 4, 2011). Defining a Saved Search. Available at https://netsuite.custhelp.com/app/answers/detail/a_id/8474 [Accessed August 28, 2020] in the NetSuite Help Center (
Run Unrestricted option [makes] search results available to users who would normally be restricted from seeing the underlying records.SuiteAnswers (Answer Id: 8474)
Note that users without the correct permissions will still be unable to view the search results.
She also reviews the permissions of both roles (
Setup >> Users/Roles >> Show Role Differences) and confirms that indeed these users do NOT have the permissions required to see all transactions. Specifically, Amina’s A/R Analyst role does not have permission to Bills or Bill Payments, and Tim’s A/P Analyst role does not have access to Sales Orders, Invoices, or Customer Payments. Her conclusion, like mine, is that for
Transaction searches, “Run Unrestricted” does overrule both restrictions and permissions!
It is unclear whether this is by design or a system flaw that will someday be discovered by NetSuite engineers and fixed. I have also not found any documentation explaining this behavior. (If you do, be sure to share it with me.)
Next time you need a saved search that exposes all transactions regardless of role permissions, “Run Unrestricted” will do the trick.
Is this a good or a bad thing? That’s really not the point. What’s important is that you understand that this inconsistency exists and can be exploited when necessary. It is equally important to understand that it is an exception rather than the rule. Missing this crucial point will set you up for a disappointment if you expect “Run Unrestricted” to magically overrule permissions of an arbitrary saved search. It won’t… unless it’s a transaction search (or another exceptional search type waiting to be discovered).
Since we’re talking about inconsistencies and oddities, here’s a quick note on the
System Notes record.
A Note About “System Notes”
System Notes are one of NetSuite’s key audit trailing features. NetSuite automatically logs (material) changes on various record types to the
System Notes record. To view the system notes associated with a record, a user/role must have at least
View access for the permission
Lists >> Notes Tab [II]NetSuite Developer (July 5, 2019). Permission to View System Notes. Available at: http://www.netsuiterp.com/2019/07/permission-to-view-system-notes.html [Accessed on September 11, 2020] and, in case of custom records, system notes must be enabled in the custom record definition.
Using System Notes as a Detective Control
A common use case in the auditing context is to create a detective (read: after-the-fact) control based on system notes to validate that no unapproved changes have been made by a given role and/or from specific role(s). A common way to do this is to create a saved search that filters the users/roles of interest and automatically emails the search results at a specified frequency for review.Even with the "Run Unrestricted" option enabled on a saved search, only the Administrator role is able to see the System Notes of other users in search results! Click To Tweet
It is important to bear in mind that only the Administrator role is able to see the system notes of other users in search results. So if you run a
System Notes saved search from a non-Administrator role, you will only see changes that you have made but not those of others, even if they exist. Get this right: If you went to the record itself, you’d see the system notes from all users. However, from a saved search, you’d only see your own changes! Yes, it’s weird and inconsistent.
The “Run Unrestricted” option does not help here either. NetSuite plays by the rules and applies the default logic, namely “Run Unrestricted” applies to restrictions not permissions. Access to system notes via saved searches is a governed by a permission and therefore, cannot be overruled by the “Run Unrestricted” option. (In fact, this permission is “hardcoded” meaning that it is not exposed as a configurable permission and cannot be altered.)
Arguably though, this would have been a perfect scenario to allow an exception just like is done for Transaction searches. Allowing the “Run Unrestricted” to expose all system notes associated with a record to any user who has access to the saved search would be tremendously useful for general analysis as well as make it easier for a non-Admin user to audit changes made by an Administrator. If someone at NetSuite is reading, (hint, hint) please make sure to include this feature in the ongoing System Notes v2 project! [III]NetSuite (March 13, 2020). System Notes v2 Overview. Available at: https://netsuite.custhelp.com/app/answers/detail/a_id/91347 [Accessed on September 14, 2020]
Now that you hopefully understand the rules governing “Run Unrestricted” (from Part 1) and notable exceptions/limitations (from this article), we’ll focus our attention in Part 3 on security considerations. Be sure to subscribe to get notified of NetSuite Insights as they get published.
Other Stories in This Series
|↑I||NetSuite (March 4, 2011). Defining a Saved Search. Available at https://netsuite.custhelp.com/app/answers/detail/a_id/8474 [Accessed August 28, 2020]|
|↑II||NetSuite Developer (July 5, 2019). Permission to View System Notes. Available at: http://www.netsuiterp.com/2019/07/permission-to-view-system-notes.html [Accessed on September 11, 2020]|
|↑III||NetSuite (March 13, 2020). System Notes v2 Overview. Available at: https://netsuite.custhelp.com/app/answers/detail/a_id/91347 [Accessed on September 14, 2020]|