Hi, I would like to understand how the custom role...
# administrationn
NS User
12/06/2022, 12:30 AMHi, I would like to understand how the custom roles analysis is done for good SOD or ITGC control purposes. I would greatly appreciate any input or experience you can share.
n
Nicholas LaHara
12/06/2022, 12:53 AMOne place to start is the show role differences and a good understanding of the access tiers view/create/edit/full. After that, an understanding of the records. Lastly, testing to see what each access/tier combination does.
e
Eric B
12/06/2022, 1:34 AMFor SOD any role that has master record (item, customer, vendor) create/edit permissions should only have view permissions for transactions and vice versa.
n
NS User
12/06/2022, 1:53 AMThank you Nick and Eric B!
j
Jon Kears
12/06/2022, 7:32 AMNetsuite is pretty bad for segregation of duties stuff because there is no "deny" permission, and roles are completely standalone. So if someone has a role where they can raise purchase orders, another role where they can approve purchase orders, another role where they can make cash payments, etc etc, there's no easy way to see the "consolidated permissions" of the person.
You can get there with saved searches and MAX(level), but it's a frustrating exercise and it means the people granting (or approving the granting) of roles need to have a good understanding of what permissions are contained in the roles
e
Eric B
12/06/2022, 5:49 PMBoth FastPath and StrongPoint have SOD rules that they can tailor to your SOD needs. I recommend taking a look at both these solutions. There is no need to reinvent the wheel. They have scripts that you can run against your environment to indicate where you have SOD conflicts. And then you can decide, based on your organization's policy, how to handle those SOD exceptions.
Eric B
12/06/2022, 5:53 PMI do agree that Netsuite roles are not suitable out of the box for either SOX or SOD compliance. The first action you need to take is to customize those native NS roles and inactivate them. Next step is to make any role assigned to your C-suite users VIEW ONLY. There shouldn't be any reason why C-suite users should have create/edit permissions. The next step is to remove ALL FULL permissions because FULL allows record deletion. There are exceptions for permission levels which are only set to FULL. Let you admins be the only ones to delete records and turn on record deletion reason as well as implement change management.
s
Sam-I-Am
12/06/2022, 11:20 PMI did a presentation on ITGC and SOX control at 2019 Suiteworld. My presentation does have quite a few search templates for ITGC including SOD.
See below
https://webworxsc-my.sharepoint.com/personal/sam_webworxsolution_net/_layouts/15/onedrive.[…]m%5Fwebworxsolution%5Fnet%2FDocuments%2Fsuiteworld&ga=1
🙌 1
2 Views