NetSuite Roles and Permissions: Access Control Guide

Aaxonix Team Aaxonix Team · Mar 30, 2026 · 7 min read #NetSuite #Permissions #Roles
NetSuite Roles and Permissions: Access Control Guide

NetSuite’s role-based access system gives each user access to exactly what they need. Sales reps see their deals and NetSuite SuiteScript customisationer records. Warehouse staff see inventory and fulfilment. The CFO sees everything. For Indian mid-market companies with 20 to 200 users across departments, getting roles and permissions right is critical for data security and operational efficiency.

Role-based access control configuration in NetSuite

How NetSuite Roles Work

Every NetSuite user is assigned one or more roles. A role defines which modules, records, reports, and actions the user can access. NetSuite ships with 20+ standard roles (Administrator, Sales Manager, Accountant, Warehouse Manager, etc.) that cover most common configurations.

Standard Roles for Indian Businesses

RoleAccess
Sales RepOwn leads, contacts, opportunities, quotes
Sales ManagerAll sales data, team pipeline, forecasts
AccountantGL, AP, AR, bank reconciliation, reports
A/P ClerkVendor bills, payments, PO matching
WarehouseInventory, fulfilment, receiving, transfers
ExecutiveDashboards, KPIs, all reports (read-only)
AdministratorFull access including configuration

Creating Custom Roles

Go to Setup > Users/Roles > Manage Roles > New. A custom role is a permission set you build from scratch. For each transaction type, set permission to None, View, Create, Edit, or Full. For example, a “Purchase Coordinator” role might have Create and Edit on Purchase Orders but View-only on Vendor Bills.

Segregation of duties for audit compliance

Record-Level Restrictions

Beyond role permissions, restrict record access by department, subsidiary, or location. A salesperson in the West India team sees only customers and deals in the West India subsidiary. A warehouse manager in the Mumbai location sees only Mumbai inventory. Configure these restrictions in the role settings under Audience.

Segregation of Duties

For audit NetSuite India GST setup, ensure no single user can both create a vendor bill and approve its payment. NetSuite supports segregation of duties by assigning different roles for creation and approval. The person who enters a vendor bill should not be the same person who releases the payment.

Frequently Asked Questions

How many roles can a user have?
A user can have multiple roles and switch between them. Common pattern: a finance manager has both Accountant and A/P Manager roles, switching based on the task. Each role change adjusts the user’s access and menu options immediately.
Can I restrict access to specific fields on a record?
Yes. Use field-level permissions and form customisation. Create a custom form for a specific role that hides sensitive fields (like cost price or margin) while showing the rest. Different roles can use different forms for the same record type.
How do I audit who accessed what in NetSuite?
NetSuite logs all record views, edits, and deletions in the system audit trail. Administrators can review login history, record access logs, and permission changes. For Indian companies subject to statutory audits, this trail demonstrates proper access control.
Can external users (vendors, customers) get limited access?
Yes. NetSuite supports customer and vendor center roles. These are limited portals where external users can view their own transactions (orders, invoices, support cases) without seeing internal data. Useful for customer self-service and vendor invoice submission.

Understanding NetSuite’s Standard Roles

NetSuite ships with over 30 standard roles covering common business functions. For Indian businesses going live on NetSuite, the roles most frequently assigned are: Administrator (full system access, typically limited to 1-2 IT or ERP admins), Accountant (access to all accounting transactions and reports, but cannot change system configuration), Sales Rep (access to CRM, quotes, and orders, but not financial data), Purchasing Agent (access to requisitions, POs, and vendor bills), and Warehouse Manager (access to inventory, item receipts, and fulfilment).

Standard roles are a good starting point, but most Indian businesses need adjustments. The standard Accountant role, for example, gives access to all subsidiaries by default, which is inappropriate if your company has subsidiaries in different states and you want each accounts team to see only their own entity’s data. This is where role customisation becomes necessary.

Creating and Customising Roles

To create a custom role, go to Setup > Users/Roles > Manage Roles > New. Start by copying a standard role that is closest to what you need, then modify permissions. NetSuite permissions work at two levels: record-level access (can the user see this type of record?) and field-level security (can the user see or edit specific fields on that record?). For sensitive data like salary information or bank account details, use field-level security to restrict access even within a role that otherwise has broad access.

Subsidiary access is controlled separately. A role can have full access to all NetSuite features but be restricted to a single subsidiary. This is important for Indian companies with subsidiaries in different states (for example, a Maharashtra entity and a Karnataka entity with separate GSTINs). The accounts team for each state should only see transactions for their subsidiary.

Least Privilege Principle and Common Permission Mistakes

The least privilege principle means users should only have the access they need to do their job, nothing more. This is especially important in Indian businesses where ERP fraud (duplicate vendor payments, fictitious vendors, unauthorised PO approvals) is a real risk. Common over-permission situations to check:

NetSuite’s User Access Audit report (under Reports > Audit Trail) shows a log of who accessed which records and when. Run this quarterly and investigate any unusual access patterns.

Frequently Asked Questions

Can NetSuite enforce IP address restrictions for specific roles?

Yes. NetSuite supports IP address access restrictions per role. You can configure a role so that it can only be used from a specific IP range (for example, your office network or a VPN). This is a useful additional control for the Administrator role, ensuring system configuration changes can only be made from a trusted network. The setting is under Setup > Users/Roles > Manage Roles, in each role’s Allowed IP Address field.

How does NetSuite handle access control for employees who change departments?

Role changes in NetSuite are immediate. When an employee moves departments, update their assigned role in their Employee record under the Access tab. Remove the old role and assign the new one. The change takes effect on next login. For employees leaving the organisation, disable their login under Setup > Users/Roles > Manage Users to prevent any post-exit access.

Can users have multiple roles in NetSuite?

Yes. A user can be assigned multiple roles. When they log in, they select which role to use from a dropdown in the top right corner. This is common for senior employees who need both a departmental role and a read-only access to other areas. However, multiple roles increase complexity and can inadvertently grant broader access than intended. Review multi-role assignments during each quarterly access audit.

Share this article LinkedIn Twitter / X
# NetSuite # Permissions # Roles # Security

Keep Reading

← Back to all articles

Thinking about Zoho or NetSuite?

Our team builds systems that actually work. No fluff, just honest architecture and clean implementation.

Schedule a free consultation View case studies