Setting Up Authentication and Authorization

After installing the SuiteApp, an administrator must perform the following to set up authentication and authorization for the NetSuite Content and Experience SuiteApp:

  1. Obtain the external URL of the SuiteApp. See Obtaining the External URL.

  2. Create an application in Oracle IDCS. See Creating a Confidential Application in Oracle IDCS.

  3. Limit the new application to one user. See Limiting the Confidential Application to One User.

  4. Configure the NetSuite Content and Experience SuiteApp. See Configuring the NetSuite Content and Experience SuiteApp.

Obtaining the External URL

After installation, an administrator must take note of the external URL of the SuiteApp. This URL will be used in setting up the confidential application in Oracle IDCS.

For information on installing the SuiteApp, see:

To obtain the external URL:

  1. Using the Administrator role, go to Customization > Scripting > Scripts.

  2. Click the Deployments link of the NS-OCE Su OCE Callback Suitelet.

  3. Click the View link of customdeploy_nsoce_su_ocecallback.

  4. Copy the value of the External URL field.

    This URL will be used as a redirect URL when creating the application in Oracle IDCS.

Creating a Confidential Application in Oracle IDCS

Confidential applications use OAuth 2.0, an authorization framework that enables client applications to use a token to access NetSuite. Confidential applications are accessed by multiple users and hosted in a secure and protected server. For more information about OAuth 2.0, see The OAuth2.0 Authorization Framework.

An administrator must create a confidential application in the Oracle IDCS console. Before creating one, make sure that the administrator account used to log in to Oracle IDCS is assigned the Application Administrator role.

If you need more information about assigning roles, see the following:

To create a confidential application:

  1. Log in to the Oracle IDCS console.

  2. Expand the Navigation Drawer then click Applications.

  3. Click Add.

  4. On the Add Application page, click Confidential Application.

  5. Under App Details:

    • In the Name field, enter NetSuite Content and Experience.

    • Use the default values for the remaining fields.

  6. Click Next.

  7. Under Client, choose Configure this application as a client now.

    • In Authorization:

      • Check Refresh Token and Authorization Code.

      • In the Redirect URL field, enter the external URL of the NS-OCE Su OCE Callback Suitelet. For more information, see Obtaining the External URL.

    • In Token Issuance Policy:

      • In the Authorized Resources field, choose Specific.

      • In the Resources field, click Add Scope.

      • Click the right arrow of the Oracle Content instance assigned to your company to select the scope.

        The Oracle Content instance is usually prefixed with CECSAUTO_.

      • Check the box of the resource ending in urn:opc:cec:all.

      • Click Add.

  8. Click Next.

  9. Under Resources, choose Skip for later. Click Next.

  10. Under Authorization, click Finish.

    The Application Added page appears.

  11. On the Application Added page, take note of the values of the Client ID and Client Secret fields. These values will be used in setting up the NetSuite Content and Experience SuiteApp.

  12. Click Activate.

For more information on creating a new application, see Add a Confidential Application.

Limiting the Confidential Application to One User

After creating the confidential application, an administrator must limit the application to one user only.

To limit the confidential application to one user:

  1. In the Oracle IDCS console, expand the Navigation Drawer then click Groups.

  2. Click Add.

  3. In Step 1: Groups Details:

    • In the Name field, enter NetSuite Content and Experience Group.

    • In the Description field, enter Has one IDCS user that is allowed to get access token used for all OCE REST API calls.

    • Leave the User can request access box clear.

  4. Click Next.

  5. In Step 2: Assign Users to Groups (Optional), check the box of the user with the service administrator role.

    For more information, see Managing Groups Using Oracle IDCS.

  6. Click Finish.

  7. In the IDCS menu, go to Security > Sign-On Policies.

  8. Click Add.

  9. Under Details:

    • In the Policy Name field, enter NetSuite Content and Experience Policy.

    • In the Description field, enter Limits one IDCS user to get access token that will be used for all OCE REST API calls.

  10. Click the right arrow to proceed.

  11. Under Sign-On Rules, click Add.

  12. On the Add Rule page:

    • In the Rule Name field, enter Allow NetSuite Content and Experience Group only.

    • Under Conditions, set field values to the following:

      Field

      Action

      If the user is authenticated by

      Leave blank.

      And is a member of these groups

      Enter NetSuite Content and Experience Group.

      And is an administrator

      Clear the box.

      And is not one of these users

      Leave blank.

      And the user's client IP address is

      Choose Anywhere.

  13. Under Actions:

    • In the Access if field, select Allowed.

    • Leave the Prompt for reauthentication box clear.

  14. Click Save.

  15. Click the right arrow to proceed.

  16. Under Apps, click Assign.

  17. On the Assign Apps page, select NetSuite Content and Experience. Click OK.

    This is the confidential application created in Creating a Confidential Application in Oracle IDCS.

  18. Click Finish.

  19. Navigate to the Sign-On Policies page then select the box for the NetSuite Content and Experience policy. Click Activate.

Configuring the NetSuite Content and Experience SuiteApp

Before using the NetSuite Content and Experience SuiteApp, an account administrator must set up the SuiteApp through the Oracle Content Configuration page. The account administrator must have the Oracle Content credentials of your organization’s service administrator.

Service administrators configure and manage your Oracle Content and Experience service. For more information about service administrators and other application roles in Oracle Content, see Application Roles.

The initial part of the configuration procedure will allow you to generate folders. A root folder for your company must be available in Oracle Content. This folder will serve as the assigned repository for your company’s Oracle Content account. Note that all company root folders follow a naming convention of netsuite_<CompanyID>.

The generated folders in Oracle Content are created using the following folder structure:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     

Note that the diagram includes project and project task folders, classified according to customer. The current version of the NetSuite Content and Experience SuiteApp supports NetSuite project and project task records.

Steps in the following configuration procedure will require you to enable the SuiteApp on projects and project task records in the Oracle Content Configuration page. You can create corresponding folders for project and project task records in Oracle Content only when the SuiteApp is enabled on these records.

The following table shows recommendations when setting up the SuiteApp:

Area

Recommendation

Deleting existing root folders

Do not manually delete any existing company root folders in Oracle Content. Doing so can result to errors in the Oracle Content Configuration page.

Changing roles while setting up the SuiteApp

Refrain from changing roles while updating the Oracle Content Configuration page. If you must switch roles, make sure to immediately refresh the page after the switch to update the change in roles.

The latter part of the configuration procedure includes steps to get an access token to initiate token-based authorization. The OAuth 2.0 framework uses an access token, a string that contains the permissions granted to the user. Using this framework allows the user to grant limited access to their resources from Oracle Content to NetSuite without exposing their credentials.

An access token is valid for one week. A scheduled script runs in the background every two hours and automatically renews the access token 48 hours before token expiry. Administrators can renew or clear access tokens as needed.

To configure the NetSuite Content and Experience SuiteApp:

  1. Using the Administrator role, go to Setup > Oracle Content > Configuration.

  2. In the Oracle Content Domain URL field, enter the Oracle Content instance assigned to your organization.

    Use the Oracle Content domain URL sent to the email of your organization's Oracle Content service administrator.

  3. In the Authentication Details field group:

    • In the IDCS Domain URL field, enter the IDCS domain URL of your organization.

      Use the IDCS domain URL sent to the email of your organization's Oracle Content service administrator.

    • In the Application Scope field, enter the resource scope URL of the Oracle Content instance.

      To get the scope, log in to Oracle IDCS. In your created IDCS Application, navigate to the Token Issuance Policy section. Under Resources, use the URL in the Scope field.

    • In the Client ID field, enter the Client ID of the created IDCS Application.

    • In the Client Secret field, enter the Client Secret of the created IDCS Application.

  4. In the Record Details field group:

    • Check the Projects box to enable NetSuite Content and Experience on project records.

      If this box is clear, no corresponding folders will be created in Oracle Content upon creation of your project records. You also cannot check the Project Tasks box.

    • Check the Project Tasks box to enable NetSuite Content and Experience on project task records.

      If this box is clear, no corresponding folders will be created in Oracle Content upon creation of your project task records.

    • In the Subsidiary field, select one or more subsidiaries where you want to have Oracle Content enabled.

      This automatically creates corresponding folders in Oracle Content for your selected subsidiaries.

      Note:

      You cannot remove the selected subsidiaries after saving the Oracle Content Configuration page.

  5. In the Roles field, select the roles that can access the Oracle Content Configuration page.

    The Roles field contains roles within the System Administrator center type.

    The selected roles and the account administrator can access and modify the Oracle Content Configuration page.

  6. Click Save.

    The Get Tokens button appears.

    After saving, a folder in Oracle Content is automatically created for your company. If you have selected subsidiaries, folders are also generated for them.

  7. Click Get Tokens to initiate token-based authorization.

    The Oracle IDCS log in page appears.

  8. Enter Oracle Content service administrator credentials and click Sign In.

    Note:

    Use the login credentials of the service administrator you used in creating the confidential application in Oracle IDCS.

    After signing in, you are automatically redirected to the Oracle Content Configuration page.

    If successful, the Renew Tokens and Clear Tokens buttons are available in the Oracle Content Configuration page. The following fields are automatically populated:

    • User

      This field shows the user defined in the access token.

    • Last Login

      This field shows the last login date and time of your organization's Oracle Content service administrator.

    • Token Expiry

      This field shows the date and time of expiry of your access token. A scheduled script runs every two hours and automatically renews the access token 48 hours before token expiry.

    If an access token is not generated, only the Get Tokens button is available. Verify the values entered and click Get Tokens again.

  9. Be sure to close the Oracle Content Configuration page before creating a new project record to avoid errors when linking the project folder to Oracle Content.

Related Topics

NetSuite Content and Experience Setup Guide
Using Oracle Identity Cloud Service to Manage Users, Groups, and Access
Required Settings in Oracle Content
Prerequisites for Installing the NetSuite Content and Experience SuiteApp
Installing the NetSuite Content and Experience SuiteApp
Setting Up Single Sign-on for NetSuite
Configuring the NetSuite Content and Experience SuiteApp for a NetSuite Record

General Notices