Restricting Integration Accounts from Accessing the NetSuite User Interface
in NetSuite by Jeff HareWritten by Connor Thompson, CIA, CISA
Restricting integration accounts from having User Interface (UI) access in NetSuite is a critical security measure. This restriction protects an organization’s data and systems from potential vulnerabilities. Integration accounts are designed to facilitate seamless data transfer and automation between NetSuite and other applications to perform essential functions without human intervention. Allowing these accounts UI access poses security risks and operational challenges.
Why This is Important
One of the primary reasons for restricting UI access for integration accounts is to enhance security. Integration accounts often possess elevated privileges and may have access to perform automated updates to transactions, master data records, user and role records, and other critical data. This access makes them especially attractive targets for cyber-attacks. If these accounts have UI access, they can be exploited to gain unauthorized entry into your NetSuite system. Which may result in data breaches and/or other malicious activities. By limiting their access strictly to APIs and background processes, organizations reduce the attack surface and protect sensitive information from potential threats.
Operational integrity is another crucial factor that emphasizes the importance of restricting UI access for integration accounts. These accounts are meant to run automated processes without an influence from manual interventions. Allowing UI access increases the risk of human errors, unauthorized changes, and disruptions to automated workflows. Ensuring that integration accounts operate only in their intended environment helps maintain the consistency and reliability of data transfers and business operations.
Other ERP systems have records specifically designed for creating integration accounts and configurations within those records to restrict UI access. NetSuite, however, limits integration access via the assignment of roles. A role is designated as a “web service only” role when the “WEB SERVICES ONLY ROLE” configuration field within that role’s setup record is enabled. When enabled, the ‘WEB SERVICES ONLY ROLE’ field ensures the role’s access is designated specifically for API interactions and background processes without any UI access.
Configuration Examples
The following (Figure 1) is of the web service configuration for an example integration role:
Drilling down into the lower half of the example role record to enhance visibility of the configuration we find the following:
Once a web service configured role is provisioned to a user, this user is unable to access the system through the standard user interface.
This measure ensures integration accounts operate solely within their intended scope. This facilitates secure and reliable data transfers while protecting the integrity and confidentiality of the system’s information.
Auditors can confirm whether this configuration has been in place during the entire audit period by looking at the System Notes related to this page. The following example (Figure 3) is where this configuration has been enabled, then disabled.
In Conclusion
In conclusion, NetSuite has robust security controls prohibiting the ability to log into the UI. Thus, allowing organizations to build effective integration accounts. Management should also consider securing integrations via token-based authentication. This eliminates any threat actors from stealing credentials via a phishing attack. If you have any additional questions about restrictive integration or access to the UI, then reach out! We’d be happy to help or answer any questions. You can email us at support@erpra.net.