Custom Roles as XML Definitions
You can create and manage roles in a NetSuite account using SuiteCloud Development Framework (SDF). You can create a role definition in a SuiteCloud project and deploy the project to a target account. Role definitions in SDF can reference standard and custom record permissions.
The following role fields and sublists are not supported by SDF and can only be defined in the NetSuite UI:
-
Subsidiaries field
-
Forms sublist
-
Searches sublist
-
Dashboard sublist
The following example shows a basic custom role object named “Sample Role” with the script ID named “customrole_sample”:
<role scriptid="customrole_sample">
<centertype>ACCOUNTCENTER</centertype>
<issalesrole>F</issalesrole>
<issupportrole>F</issupportrole>
<iswebserviceonlyrole>F</iswebserviceonlyrole>
<employeerestriction>NONE</employeerestriction>
<employeeviewingallowed>F</employeeviewingallowed>
<restricttimeandexpenses>F</restricttimeandexpenses>
<restrictip>F</restrictip>
<coreadminpermission>F</coreadminpermission>
<restrictbydevice>F</restrictbydevice>
<name>Sample Role</name>
<permissions>
<permission>
<permkey></permkey>
<permlevel></permlevel>
<restriction></restriction>
</permission>
</permissions>
</role>
The centertype element determines which tabs and links are available for groups of similar roles. For more information about possible centertype values, see the following:
In the permissions structure, the permkey element should be the script ID of the object type that you want to apply a permission to. The permlevel element is the level of access that you want to grant on that object type. The restriction element is the level of restriction to place on that object type.
The restriction element is only applicable to permissions that reference SDF custom objects.
You can customize additional role options using the NetSuite UI. For more information about creating a custom role using the NetSuite UI, see Changing Custom Roles.
If a SuiteCloud project contains an SDF custom object and a custom role that reference each other, the levels of permission and restriction must match in both objects. For example, if a custom record type permits the custom role with the VIEW permission level, that custom role must set the custom record type permission level to VIEW. Projects that contain a level mismatch cannot be deployed to a target NetSuite account.
For more information about the custom role object, see role.
Custom Role Restrictions
You can apply any type of restriction to a custom role in SDF. Restrictions define the set of records that users of an assigned role can view or edit for specific record types such as employee, location, department, and class.
As part of the custom role object, the following elements can be used to apply restrictions on users of the assigned role:
-
The
restrictbydeviceelement provides access to the role only from the devices listed at Setup > Company > Setup Tasks > Company Information. -
The
restrictipelement provides access to the role only from the IP addresses listed at Setup > Company > Setup Tasks > Company Information. -
The
restricttimeandexpenseselement prevents users with this role from entering expense reports or time transactions on behalf of users other than their subordinates. -
The
employeerestrictionelement determines whether to restrict role access to transaction, customer, and employee records, based on values in the employee, sales rep, and supervisor fields on these records. The associatedemployeeviewingallowedelement indicates whether the role can view employee records other than their own and their subordinates.
In addition to these elements, you can create or modify a recordrestrictions structure to apply restrictions on the location, department, and class records. This structure can contain multiple recordrestriction structures, where each one represents a unique record type restriction. You cannot have multiple recordrestriction structures defining the restrictions of a single record type. A recordrestriction contains the following elements:
-
The
segmentelement is the record type that you want to restrict on the role, such as LOCATION, DEPARTMENT, or CLASS. -
The
restrictionselement indicates the type of restriction to place on the segment or record type. -
The
viewingallowedelement indicates whether users with this role can view instances of record type. -
The
itemsrestrictedelement applies the restrictions to item records, in addition to transaction, employee, and partner records.
The following is an example of a custom role object in SDF that uses restriction fields:
<role scriptid="customrole_restrictsample">
<centertype>ACCOUNTCENTER</centertype>
<name>Role Restriction Sample</name>
...
<restrictbydevice>F</restrictbydevice>
<restrictip>T</restrictip>
<restricttimeandexpenses>T</restricttimeandexpenses>
<employeerestriction>UNASSIGNED</employeerestriction>
<employeeviewingallowed>T</employeeviewingallowed>
...
<recordrestrictions>
<recordrestriction>
<segment>LOCATION</segment>
<restriction>OWNONLY</restriction>
<itemrestricted>T</itemrestricted>
<viewingallowed>T</viewingallowed>
</recordrestriction>
<recordrestriction>
<segment>DEPARTMENT</segment>
<restriction>DEFAULTTOOWN</restriction>
<itemrestricted>F</itemrestricted>
<viewingallowed>F</viewingallowed>
</recordrestriction>
<recordrestriction>
<segment>CLASS</segment>
<restriction>UNASSIGNED</restriction>
<itemrestricted>T</itemrestricted>
<viewingallowed>F</viewingallowed>
</recordrestriction>
</recordrestrictions>
</role>
When restricting record types, such as LOCATION or DEPARTMENT, you may need to modify the manifest file in your project to indicate that their corresponding features are required in the target account.
For more information, see:
Custom Role Example
The following example shows a custom role definition. When deployed to an account, this definition creates or modifies the custom role, SDF Developer, that enables several permissions required for SDF development. The role includes permission to a custom record, customrecord_sample.
<role scriptid="customrole_sdfdeveloper">
<centertype>ACCOUNTCENTER</centertype>
<issalesrole>F</issalesrole>
<issupportrole>F</issupportrole>
<iswebserviceonlyrole>F</iswebserviceonlyrole>
<employeerestriction>NONE</employeerestriction>
<employeeviewingallowed>F</employeeviewingallowed>
<restricttimeandexpenses>F</restricttimeandexpenses>
<restrictip>F</restrictip>
<restrictbydevice>F</restrictbydevice>
<name>SDF Developer</name>
<permissions>
<permission>
<permkey>ADMI_WORKFLOW</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_WEBSERVICES</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_MANAGE_OWN_OAUTH_TOKENS</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTOMSCRIPT</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_APP_DEPLOYMENT</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_SAVEDASHBOARD</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTOTHERFIELD</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_KPIREPORT</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_ENABLEFEATURES</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>LIST_EMAILTEMPLATE</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>LIST_FILECABINET</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTTRANSACTION</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTFORM</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTTRANFIELD</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTFIELDTAB</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTOMSUBLIST</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_SUBLIST</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTRECORD</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTLIST</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTITEMNUMBERFIELD</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTITEMFIELD</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTEVENTFIELD</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTENTRYFORM</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTENTITYFIELD</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTCOLUMNFIELD</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTCENTER</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTSECTION</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTCATEGORY</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTBODYFIELD</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CRMLIST</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_MANAGEROLES</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_ADVANCED_TEMPLATES</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>[scriptid=customrecord_sample]</permkey>
<permlevel>FULL</permlevel>
<restriction>VIEW</restriction>
</permission>
</permissions>
</role>