1. Account Administration
  2. Authentication
  3. SSH Keys for SFTP
  4. Locking and Restricting SSH Keys

Locking and Restricting SSH Keys

To prevent an unauthorized use of a key, you can limit the use of the key to certain scripts and specific employees on the key record.

To restrict access to an existing key:

  1. Go to Setup > Company > Preferences > Keys. A list of uploaded keys is displayed. If no keys are displayed, none have been uploaded. See Uploading Private SSH Keys for instructions to upload a new key.

  2. Click the name of the key to open it in a new window.

  3. Click the Audience tab.

  4. To restrict access to the key to specific employees, check the Restrict to Employees box, and select employees who will be able access the key using SuiteScript. Employees must also have the Key Access permission to use the key with SuiteScript. If you don't check the box, all employees with the Key Access permission can access the key with SuiteScript.

  5. To restrict access to a specific script, enter the script’s script ID in the Restrict to Scripts field. You can find the script ID for a script on the script record or in the ID column on the list of scripts at Customization > Scripting > Scripts. Separate multiple script IDs with commas.

    You can also set script restrictions if you create the key object in SuiteScript 2.x using the keyControl.createKey(options) method.

  6. Click Save.

New private key example.

When restrictions are set, you can use SuiteScript 2.x to lock and unlock SSH keys. Locking a key prevents anyone from accessing the key in the NetSuite UI, even the owner of the key. You can use locking combined with script restrictions to restrict new scripts from using a key. For example, if you create a SuiteApp that contains a script and a key, you can restrict the key to only work with the SuiteApp’s script and lock the key. You can then lock the script within the SuiteApp to block unauthorized access.

Use the following SuiteScript methods to lock and unlock a key:

The following code sample uses a scheduled script to demonstrate how to lock a key. Because this sample uses define instead of require, you must deploy this script in your account. It is not meant to run in the SuiteScript Debugger.

          /**
*@NApiVersion 2.x
*@NScriptType ScheduledScript
*/

define(['N/keyControl'],function(keyControl){ 
    function execute(context){    
        //lock the key
        keyControl.lock({
            //replace the following id with the script ID of your key
            id: 'custkey_testid'
        });
    }
    return{
        execute: execute
    }
});

Related Topics

SSH Keys for SFTP
Access to SSH Keys
Uploading Private SSH Keys
N/keyControl Module
N/sftp Module
SuiteScript 2.x Modules
SuiteScript 2.x

General Notices