OpenID Connect Permissions

When the OpenID Connect (OIDC) Single Sign-on feature is enabled, the following permissions are available:

Both OIDC permissions are Setup type permissions that support only a Full permission level.

You can add the OpenID Connect (OIDC) Single Sign-on to an existing role, or you can create a new role.

Permissions are added to roles on the Role record page, available at Setup > Users/Roles > User Management > Manage Roles.

Important:

After you assign the OpenID Connect (OIDC) Single Sign-on permission to a role, there's a short delay before users can use that role to log in with OIDC. This delay happens because of caching—the new permission isn't available until the cache times out.

For more information about adding permissions to roles, see Customizing or Creating NetSuite Roles.

OpenID Connect Permission Limitations

OpenID Connect (OIDC) roles and permissions have various limitations that are intended to prevent problems.

No one can log in with an Administrator role using the OpenID Connect (OIDC) Single Sign-on feature. This limitation makes sure an admin can always log in and fix any issues with the OIDC provider (OP) setup or single sign-on access.

You can't add the OpenID Connect (OIDC) Single Sign-on permission to a role that already has SuiteAnalytics Connect permission. OpenID Connect (OIDC) Single Sign-on doesn't work with SuiteAnalytics Connect.

Some limitations ensure the admin is fully responsible for deciding who can access their NetSuite account with OpenID Connect (OIDC) Single Sign-on. The admin is choosing to trust the OP to authenticate users and let them into their NetSuite account.

  • If a role is designated as Single Sign-on Only, users with a role that has OpenID Connect (OIDC) Single Sign-on permission cannot log in directly to the NetSuite user interface using the standard NetSuite login page.

  • A user who has accessed NetSuite through the OpenID Connect (OIDC) Single Sign-on feature cannot access any roles that do not have OpenID Connect Single Sign-on permission.

  • If a role has OpenID Connect (OIDC) Single Sign-on permission, it cannot also have SAML Single Sign-on permission.

Related Topics

General Notices