Custom Roles as XML Definitions
You can create and manage roles in a NetSuite account using SuiteCloud Development Framework (SDF). You can create a role definition in a SuiteCloud project and deploy the project to a target account. Role definitions in SDF can reference standard and custom record permissions.
The following role fields and sublists are not supported by SDF and can only be defined in the NetSuite UI:
-
Subsidiaries field
-
Forms sublist
-
Searches sublist
-
Dashboard sublist
The following example shows a basic custom role object named “Sample Role”
with the script ID named “customrole_sample”
:
<role scriptid="customrole_sample">
<centertype>ACCOUNTCENTER</centertype>
<issalesrole>F</issalesrole>
<issupportrole>F</issupportrole>
<iswebserviceonlyrole>F</iswebserviceonlyrole>
<employeerestriction>NONE</employeerestriction>
<employeeviewingallowed>F</employeeviewingallowed>
<restricttimeandexpenses>F</restricttimeandexpenses>
<restrictip>F</restrictip>
<coreadminpermission>F</coreadminpermission>
<restrictbydevice>F</restrictbydevice>
<name>Sample Role</name>
<permissions>
<permission>
<permkey></permkey>
<permlevel></permlevel>
<restriction></restriction>
</permission>
</permissions>
</role>
The centertype
element determines which tabs and links are available for groups of similar roles. For more information about possible centertype
values, see the following:
In the permissions
structure, the permkey
element should be the script ID of the object type that you want to apply a permission to. The permlevel
element is the level of access that you want to grant on that object type. The restriction
element is the level of restriction to place on that object type.
The restriction
element is only applicable to permissions that reference SDF custom objects.
You can customize additional role options using the NetSuite UI. For more information about creating a custom role using the NetSuite UI, see Changing Custom Roles.
If a SuiteCloud project contains an SDF custom object and a custom role that reference each other, the levels of permission and restriction must match in both objects. For example, if a custom record type permits the custom role with the VIEW permission level, that custom role must set the custom record type permission level to VIEW. Projects that contain a level mismatch cannot be deployed to a target NetSuite account.
For more information about the custom role object, see role.
Custom Role Restrictions
You can apply any type of restriction to a custom role in SDF. Restrictions define the set of records that users of an assigned role can view or edit for specific record types such as employee, location, department, and class.
As part of the custom role object, the following elements can be used to apply restrictions on users of the assigned role:
-
The
restrictbydevice
element provides access to the role only from the devices listed at Setup > Company > Setup Tasks > Company Information. -
The
restrictip
element provides access to the role only from the IP addresses listed at Setup > Company > Setup Tasks > Company Information. -
The
restricttimeandexpenses
element prevents users with this role from entering expense reports or time transactions on behalf of users other than their subordinates. -
The
employeerestriction
element determines whether to restrict role access to transaction, customer, and employee records, based on values in the employee, sales rep, and supervisor fields on these records. The associatedemployeeviewingallowed
element indicates whether the role can view employee records other than their own and their subordinates.
In addition to these elements, you can create or modify a recordrestrictions
structure to apply restrictions on the location, department, and class records. This structure can contain multiple recordrestriction
structures, where each one represents a unique record type restriction. You cannot have multiple recordrestriction
structures defining the restrictions of a single record type. A recordrestriction
contains the following elements:
-
The
segment
element is the record type that you want to restrict on the role, such as LOCATION, DEPARTMENT, or CLASS. -
The
restrictions
element indicates the type of restriction to place on the segment or record type. -
The
viewingallowed
element indicates whether users with this role can view instances of record type. -
The
itemsrestricted
element applies the restrictions to item records, in addition to transaction, employee, and partner records.
The following is an example of a custom role object in SDF that uses restriction fields:
<role scriptid="customrole_restrictsample">
<centertype>ACCOUNTCENTER</centertype>
<name>Role Restriction Sample</name>
...
<restrictbydevice>F</restrictbydevice>
<restrictip>T</restrictip>
<restricttimeandexpenses>T</restricttimeandexpenses>
<employeerestriction>UNASSIGNED</employeerestriction>
<employeeviewingallowed>T</employeeviewingallowed>
...
<recordrestrictions>
<recordrestriction>
<segment>LOCATION</segment>
<restriction>OWNONLY</restriction>
<itemrestricted>T</itemrestricted>
<viewingallowed>T</viewingallowed>
</recordrestriction>
<recordrestriction>
<segment>DEPARTMENT</segment>
<restriction>DEFAULTTOOWN</restriction>
<itemrestricted>F</itemrestricted>
<viewingallowed>F</viewingallowed>
</recordrestriction>
<recordrestriction>
<segment>CLASS</segment>
<restriction>UNASSIGNED</restriction>
<itemrestricted>T</itemrestricted>
<viewingallowed>F</viewingallowed>
</recordrestriction>
</recordrestrictions>
</role>
When restricting record types, such as LOCATION
or DEPARTMENT
, you may need to modify the manifest file in your project to indicate that their corresponding features are required in the target account.
For more information, see:
Custom Role Example
The following example shows a custom role definition. When deployed to an account, this definition creates or modifies the custom role, SDF Developer, that enables several permissions required for SDF development. The role includes permission to a custom record, customrecord_sample
.
<role scriptid="customrole_sdfdeveloper">
<centertype>ACCOUNTCENTER</centertype>
<issalesrole>F</issalesrole>
<issupportrole>F</issupportrole>
<iswebserviceonlyrole>F</iswebserviceonlyrole>
<employeerestriction>NONE</employeerestriction>
<employeeviewingallowed>F</employeeviewingallowed>
<restricttimeandexpenses>F</restricttimeandexpenses>
<restrictip>F</restrictip>
<restrictbydevice>F</restrictbydevice>
<name>SDF Developer</name>
<permissions>
<permission>
<permkey>ADMI_WORKFLOW</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_WEBSERVICES</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_MANAGE_OWN_OAUTH_TOKENS</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTOMSCRIPT</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_APP_DEPLOYMENT</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_SAVEDASHBOARD</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTOTHERFIELD</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_KPIREPORT</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_ENABLEFEATURES</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>LIST_EMAILTEMPLATE</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>LIST_FILECABINET</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTTRANSACTION</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTFORM</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTTRANFIELD</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTFIELDTAB</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTOMSUBLIST</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_SUBLIST</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTRECORD</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTLIST</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTITEMNUMBERFIELD</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTITEMFIELD</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTEVENTFIELD</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTENTRYFORM</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTENTITYFIELD</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTCOLUMNFIELD</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTCENTER</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTSECTION</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTCATEGORY</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CUSTBODYFIELD</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_CRMLIST</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_MANAGEROLES</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>ADMI_ADVANCED_TEMPLATES</permkey>
<permlevel>FULL</permlevel>
</permission>
<permission>
<permkey>[scriptid=customrecord_sample]</permkey>
<permlevel>FULL</permlevel>
<restriction>VIEW</restriction>
</permission>
</permissions>
</role>