Hello Everyone! I've been scratching my head for a while now. Do you happen to know how I could accomplish a list of what types of records the users are accessing and for what reason? We are trying to do a cleanup in roles and permissions and I'm not too sure how to proceed. I'm looking for something like this :

| Employee | Role | Record type | Type of access (edit/view/print...) | Time of access

Audit trail for create, change, delete .... and the only place I've found 'view' information is via 'All Recent Records' (via the clock in top left) ... but you can only see it for the logged in user.

Use the role comparison page to quickly get a list of all your roles and what permissions they have - and then use an employee search to get the roles assigned to each employee. Marry up as necessary.

It's more about changing roles for people who don't actually need certain permissions on stuff they don't use than knowing what permissions people have

Well - then it seems like the role comparison page is your tool

I don't understand why you can't report on 'view' information as that would be super useful for things like permissions and auditing access. The information is clearly there in the back end but only for the logged in user context.

If your goal is to clean up permissions why do you care what they actually looked at? Your goal should be to limit what they "can" in which case - the show role differences page is a concise way to view all of your roles and compare them.

True, you should start users off with the absolute minimum if possible. interestingly there was an issue at a clients the other day re Sage Accounts and permissions. Someone in the accounts dept had removed permissions for some users who he 'thought' shouldn't have access to certain areas. The next day he was on holiday and all hell broke loose because they actually did need those permissions to do their job. :)

one thing to also bear in mind - is a role permission name may not be sufficient to pass judement on whether it is needed or not - I'd recommend stepping down to "view" access before removing anything completely.

Because of course everyone thinks they "need" all the permissions but if they don't actually use it, what is the point? This is a system already in place when I entered the job. All people seem to have, or Employee centre, or Full access. I can't just guess what they "should" be able to see. In an ideal world, of couse, start with the minimum and give more if necessary. But they started at Full in everything so now we've got to repair the damage...

We have this discussion with our auditors every year. Netsuite roles just aren't up to task, I'm afraid. Segregation of duties is so hard unless the person provisioning access has an encylcopaedic knowledge of what each role has and doesn't have. What you could do is copy your roles and give your employees access to both. Tell them to log in as the new "lower permission" role. Every time they log in under the "old" role, send an email to them asking why they're using the old role, what permission they didn't have. Security through annoyance thinking Be prepared to end up with lots of roles as a result of this exercise