877 348 1165
info@concentrus.com

Understanding High Level Roles & Access Control in NetSuite

By Stephanie Kim

On December 23, 2025

Secure role-based access control system for enterprise data management.

NetSuite’s out-of-the-box roles are only a starting point. Effective access control depends on properly combining role permissions with employee, subsidiary, and dimensional restrictions. Understanding how these settings interact helps prevent access issues, supports reporting accuracy, and keeps security aligned as your organization grows.

In this post...

Back to Blog

NetSuite typically comes with your standard out-of-the-box roles that are may be a great starting point but require some level of customization depending on the complexity. We’ll walk through a high-level view of some useful role settings/tips to manage your organization’s needs.

1. NetSuite Roles: The Foundation of Access Control

A role in NetSuite defines:

  • What records a user can view, create, edit, or delete
  • Which transactions, lists, and reports they can access
  • How data is filtered based on organizational dimensions (subsidiary, department, class, location, employee)

Roles are assigned to employees, and employees can have multiple roles, each with different access behavior.

2. Employee Restrictions

Employee restriction limits users to only their own records or records related to them.

Common Use Cases

  • Sales reps viewing only their own customers, opportunities, and transactions
  • Project managers seeing only projects they’re assigned to
  • Employees viewing only their own time entries or expenses

How It Works

  • Enabled via Employee Restrictions on the role
  • The options are:
    • None – no default
    • None – default to own
    • Own, subordinate, and unassigned
    • Own and subordinate only

3. “Do Not Restrict Employee Fields” Checkbox

The Do Not Restrict Employee Fields checkbox controls whether employee-based restrictions are applied to employee-related fields on records.

When checked, NetSuite ignores employee restrictions for employee fields such as:

  • Sales Rep
  • Assigned To
  • Project Manager
  • Employee references on transactions and records

Why This Exists

Without this option, employee-restricted roles can become overly locked down, preventing users from:

  • Selecting other employees on transactions
  • Viewing records owned by other employees
  • Running reports that reference employee fields

Common Use Cases

  • Sales reps who should:
    • Only see their own customers
    • But still select other employees on transactions
  • Project teams that need visibility across employee assignments

Best Practice:
If a role uses employee restrictions but users need to interact with other employees on records, this box should usually be checked.

4. Restrictions by Department

Limits access based on the Department field on records.

Common Use Cases

  • Finance users restricted to Finance department transactions
  • Department managers viewing only their team’s data

How It Works

  • Department must be populated on:
    • Transactions
    • Employees
    • Projects (if applicable)

Best Practice:
Use department restrictions primarily for reporting segmentation, not hard security—unless your data discipline is very strong.

5. Restrictions by Class

Filters data based on the Class dimension.

Common Use Cases

  • Product line visibility
  • Revenue segmentation by brand or offering
  • Service vs product differentiation

Best Practice:
Classes are best used for analysis, not security enforcement.

6. Restrictions by Location

Limits access to records associated with specific locations.

Common Use Cases

  • Warehouse-specific users
  • Regional operations teams
  • Inventory and fulfillment roles

7. Subsidiary Restrictions (Most Critical)

Controls access to data by legal entity (subsidiary).

Common Use Cases

  • Multi-subsidiary organizations
  • Regional accounting teams
  • Legal and tax separation

Implications

  • Strongest and most reliable restriction type
  • Incorrect setup can block approvals or postings
  • Elimination subsidiaries must be handled carefully

Best Practice:
Subsidiary restriction should be your primary security boundary in OneWorld accounts.

8. Copying a Role for Non-SSO Access

In SSO-enabled environments, you may need a non-SSO version of an existing role.

Recommended Approach

  1. Edit the existing role
  2. Remove the SAML Single Sign-On permission
  3. Click Save As
  4. Assign the copied role to users requiring non-SSO access

This preserves all permissions and restrictions while avoiding SSO conflicts. It may be a common use case for temporary sandbox access.

9. Comparing Roles with “Show Role Differences”

NetSuite provides a built-in tool to compare roles:

Show Role Differences

  • Navigate to Setup > Users/Roles > Show Role Differences
  • Select a base role and as many ‘Compare To’ roles as you’d like.
  • Click Show

Why It’s Useful

  • Quickly identify permission mismatches
  • Ideal for troubleshooting access issues/other errors
  • Critical for UAT vs Production validation

10. Key Takeaways & Best Practices

  • Subsidiary restrictions are the strongest form of access control
  • Employee restrictions should be paired carefully with Do Not Restrict Employee Fields
  • Department and Class restrictions can be risky without consistent data
  • Location restrictions work well for operations and inventory roles
  • Always duplicate roles instead of editing in place
  • Use Show Role Differences to troubleshoot errors that may be happening in a certain but not in others

We Are Experts at Generating ROI for our Clients Through Custom Integration of ERP Software