Setting a Web Services Only Role for a User

In NetSuite you can designate a user's role as Web Services Only. When a user logs in with a role that has been designated as Web Services Only, validation is performed to ensure that the user is logging in through SOAP web services and not through the UI.


Your account must have the SOAP web services feature enabled for the Web Services Only check box to appear. See Enabling the SOAP Web Services Feature for steps on enabling this feature.

The Web Services Only role increases the security of an integrated application by prohibiting a UI user from accessing the system with permissions and privileges that are specifically created for a web services applications. For example, you may have a web services application that requires certain employees to have write access to several records. However, you want to prohibit the employees from being able to edit these records directly from within the NetSuite UI. If you assign the Web Services Only role to specified employees, the employees can log in to NetSuite and access the application through web services, however, the employees cannot switch to their other roles within the system and write, edit, or delete these data-sensitive records.


The Web Services Only role does not appear in the Change Role list. Therefore, users cannot change their roles from their original UI login role (A/P clerk, for example) to their Web Services Only role from within the UI.

To designate a role as Web Services Only:


A role designated as Web Services Only prohibits the user from accessing NetSuite through the UI. The intention is to enhance the security of your integrations. However, checking the Web Services Only box does not exclude access to NetSuite by other non-UI methods. Be aware that a Web Services Only role could combine with other access permissions. For example, if you designate a role as Web Services Only, and that role (or a user) also has SuiteAnalytics Connect permissions, the user could also access NetSuite through ODBC.

  1. Click Setup > Users/Roles > Manage Roles.

  2. On the Manage Roles list page, locate the role you want to set as Web Services Only.

  3. Click Edit or Customize.

  4. Check the Web Services Only Role box.

  5. Click Save.

When to Set the Web Services Only Role

A role should not be designated as Web Services Only until the developers building and testing the integrated application have completed the application. Waiting to designate a role as Web Services Only allows developers to go back and forth during design and development time to test the permissions for the role that is designed specifically for an integrated application. After the development and testing is complete, the developer can set the Web Services Only role to TRUE for a specified role to prevent users with this role access to the UI with this set of permissions and privileges.


External roles such as Customer Center, Partner Center, Advanced Partner Center, Vendor Center, and Employee Center should not be customized to have Web Services Only permissions.

Related Topics

Roles and Permissions in SOAP Web Services
Assigning the SOAP Web Services Permission to a Role
Setting a Default Role for a SOAP Web Services User
Customer Center, Vendor Center, and Partner Center Roles
Internal IDs Associated with Roles

General Notices