Roles (RBAC)

One of the key strengths of NetSuite and ERP systems are their inherent and user-interface customizable and designable Role Based Access Control (RBAC) which, when used correctly and effectively will not only be best practice and improve your business structure but will automatically meet the needs of many accounting compliance standards.

Sounds great, but tailoring NetSuite Roles to give users an easy to use business tool, access to key valuable on-demand information they need, when they need it; while preventing them from other unneeded information can sometimes become complex.  A lot of the difficulty in role design stems from a lack of clarity in job functions, for-instance needs, and role requirements. Often, the default solution to a small requirement for one role to have access to one report would be to over-grant privileges, transactional and system access (example everyone in an accounting department having an Administrator Role).  Contrary to instinct, regardless of business size, it’s always better to air on the side of under access versus over access to any business ERP or CRM system.

How to Design Roles that meet business requirements and will stand up to auditing scrutiny

The best way to start to do this is to sit down and outline on some scrap paper each and everyone’s job functions down to a T (try doing this from a business systematic perspective as much as possible). From this, go through some of the roles and access already built out on your NetSuite environment and make the decision if this role needs access to these records/transactions and if so, what should the limitations be.   Always keep in mind some of the following questions:

What are the checks and balances in your organization, are they clearly distinguished, do the NetSuite Roles reflect organization policy?
What is the risk involved with giving a role access and does the benefit outweigh potential over exposure?
Is this the most restrictive role possible while giving the user the needed system functionality to perform their day to day job in a timely manner?
Does this role allow possibilities for a user to execute work-arounds to intentionally designed preventive controls?


There are 3 key types of controls that can be designed in NetSuite (possibly more but 3 I’m going to discuss) all three are critical to the health of an ERP system.




Preventive controls attempt to deter or prevent undesirable events from occurring they are proactive controls that help to prevent loss.  Examples of preventive controls include approval routing, manager verifications, data validation workflows, dynamic form layouts, etc.  Preventive controls are the number one area an organization can take steps to design and implement to mitigate potential human error and streamline operational processes.

Detective controls are things such as scheduled or on-demand reports, reconciliations that bring attention to a error via subsequent information overview. Management compares information from system to benchmark information to compare and source possible errors or anomalies.  Giving your team access to the right reports can improve your detective controls processes.

Corrective controls are used to ensure that, once an error has been detected, the mistake is corrected, and the accounting records are made accurate. Examples of corrective controls include clearing reconciled items, reversing incorrect accounting entries, and reclassifying items that were improperly classified.

What are you organization’s controls and do your NetSuite roles compliment them?

Need help designing system controls and adequate roles? Contact OrangeLight today