# NetSuite

### Overview

The Veza integration discovers a single Oracle NetSuite tenant and its users, roles, and subsidiary resources. To discover more than one environment, (for example, production and staging), follow the instructions to configure two separate instances of the integration.

See [notes and supported entities](#notes-and-supported-entities) for more details.

### Configuring NetSuite

Authentication is done through an Oauth2 workflow. The integration uses a JWT exchange based on a client ID and certificate to exchange for a bearer token. The bearer token is used for all the SuiteQL API calls.

Follow these steps to create the credentials Veza will use for NetSuite discovery:

#### Ensure that REST API and Oauth2 are enabled

1. Navigate to *Setup* -> *Company* -> *Enabled Features*
2. Under the **Analytics** tab:
   * In the **SuiteAnalytics Workbook** section, enable **SUITEANALYTICS WORKBOOK** if it is not enabled.
3. Under the **SuiteCloud** tab:
   * In the **SuiteTalk (Web Services)** section, enable **REST WEB SERVICES** if it is not enabled.
   * In the **Manage Authentication section**, enable **Oauth2**

#### Create a Role for Veza discovery

1. Navigate to *Setup* -> *Users/Roles* -> *Manage Roles* and create a new role
2. Provide a name for the role such as "Veza Discovery"
3. Under **Subsidiary Restrictions** set **Accessible Subsidiaries** to **All Subsidiaries**
4. Assign the following permissions to the role:
   * **Reports**
     * `SuiteAnalytics Workbook: Edit`
   * **Lists**
     * `Employee Record: View`
     * `Employees: View`
     * `Subsidiaries: View`
   * **Setup**
     * `Bulk Manage Roles: Full`
     * `OAuth 2.0 Authorized Applications Management`
     * `Log in using OAuth 2.0 Access Tokens`
     * `REST Web Services: Full`
     * `View Login Audit Trail: Full`

#### Assign the role to a user

The user can be an existing user, or you can create a user for Veza discovery. To review users' roles, go to *Setup* > *Users/Roles* > *Manage Users*.

#### Create an integration

1. Navigate to *Setup* > *Integration* > *Manage Integrations* and create a new integration
2. Provide a name for the integration such as "Veza Discover" and an optional description
3. Under the **Oauth2** section enable **CLIENT CREDENTIALS (MACHINE TO MACHINE) GRANT** and Scope **REST Web Services**
4. After saving the integration, a **consumer key** and secret will be displayed. Save these values, which only appear once. New credentials can be created by editing the integration and selecting "Reset Credentials."

#### Configure client credentials

1. Generate a new x509 Certificate to use.

   1. Use the following command to generate a new RSA certificate:

   `openssl req -new -x509 -newkey rsa:4096 -days 365 -keyout private.pem -sigopt rsa_padding_mode:pss -sha256 -sigopt rsa_pss_saltlen:64 -out public.pem -nodes`

   The certificate expires after the specified number of days.
2. Go to *Setup* > *Integration* > *Oauth 2.0 Client Credentials (M2M)*
   * Create a new set of credentials
   * Select the desired User for the Entity, the created Veza Role and the new Integration for Application
   * Upload the public portion of the Certificate `public.pem`
   * After creating the credentials, note the **Certificate ID** from the display table​

### Configuring NetSuite on the Veza Platform

​To enable the NetSuite integration in Veza you will need the following:​

1. In Veza, open the **Integrations** page.
2. Click **Add New** and pick NetSuite as the type of integration to add
3. Enter the required information and **Save** the configuration
   * **NetSuite instance ID**: this is the first part of your NetSuite URL, usually a seven digit number. For sandbox deployments include the `-SBXX`.
   * **Consumer Key** from the earlier steps
   * **Certificate ID** and private portion of the certificate from the credentials configuration
   * **Certificate Key** upload the private portion of the certificate `private.pem`
   * **Permission By Name** toggle to display permissions by full name e.g. `Access Token Management - Full` instead of shorthand key `ADMI_ACCESSTOKENMANAGEMENT - Full`

### Notes and Supported Entities

The integration utilizes NetSuite's REST API and SuiteQL (SQL like query language) to collect necessary information about Users, Roles, and NetSuite Subsidiaries (resources). Roles can be assigned based on Subsidiary.

#### NetSuite User

Users are individuals with access to a NetSuite account. Users are typically employees, but can also represent vendors, partners, or customers.

Veza only gathers NetSuite users with the capability to login to NetSuite.

| Attribute       | Notes                                                           |
| --------------- | --------------------------------------------------------------- |
| `is_active`     | Boolean True if user account is active                          |
| `email`         | User email                                                      |
| `external_id`   | User's external ID for SSO                                      |
| `supervisor_id` | NetSuite ID of the user's supervisor                            |
| `title`         | User's title                                                    |
| `give_access`   | Boolean if the user has access to NetSuite                      |
| `subsidiary_id` | NetSuite ID number of User's Subsidiary                         |
| `subsidiary`    | User's subsidiary name                                          |
| `created_at`    | Creation time for employee record                               |
| `last_login_at` | Date of last successful User login to NetSuite from Audit Trail |

#### NetSuite Role

Roles are configurations defining the level of access and sets of permissions users can have.

**Role Permission Display Format**: By default, role permissions in Veza are displayed using the *shorthand permission key* appended with the permission level. For example: `ADMI_ACCOUNTING - Full`, `LIST_ACCOUNT - View`, or `TRAN_CUSTINVC - Edit`.

Enabling the optional **Permission By Name** configuration setting will instead display the full permission name with the level appended. For example: `Accounting Management - Full`, `Accounts - View`, or `Invoice - Edit`.

{% hint style="info" %}
**Permission levels** in NetSuite include: **None**, **View**, **Create**, **Edit**, and **Full**. These levels define the degree of access granted for each permission.
{% endhint %}

| Attribute                        | Notes                                                                    |
| -------------------------------- | ------------------------------------------------------------------------ |
| `accessible_subsidiaries`        | Subsidiary access type for role, e.g. "all", "own", "selected", "active" |
| `crosssubsidiary_record_viewing` | Boolean if cross-subsidiary record viewing is enabled for role           |
| `is_active`                      | Boolean if role is active                                                |
| `is_sso_only`                    | NetSuite configuration if role requires users from in-bound SSO only     |

#### NetSuite Subsidiary Resource

Subsidiaries represent separate, hierarchical legal entities (distinct companies) within NetSuite.

| Attribute        | Notes                                                |
| ---------------- | ---------------------------------------------------- |
| `is_active`      | Boolean for subsidiary active status                 |
| `is_elimination` | Boolean if subsidiary is an elimination subsidiary   |
| `parent_id`      | NetSuite ID of parent subsidiary                     |
| `country`        | Country designation for subsidiary                   |
| `full_name`      | Subsidiary full name which includes all parent names |

### Limitations

#### NetSuite Support Center Roles

The NetSuite integration does not support discovery of **NetSuite Support Center (Basic)** and **NetSuite Support Center** roles. These roles are managed separately within NetSuite outside of the standard role management system and are not accessible via the NetSuite REST API that Veza uses for integration.

For more information about these special roles, see [NetSuite's documentation on support center roles](https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_4350949235.html#procedure_21135550073).

**Note:** Organizations using these Support Center roles will need to implement a manual review process for users assigned to these roles, as they will not appear in Veza's discovery or access reviews.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/netsuite.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.