Overview
Before setting up the NetSuite integration, it's essential to understand the necessary permissions and roles required for a smooth process. This guide outlines who needs access, what permissions are required, and how to choose the right integration role.
For more information about the Integration Page, please refer to Integration Page Overview.
Who Needs to Set Up the Integration?
The person responsible for setting up the NetSuite integration should have:
- NetSuite Administrator Privileges – Required to manage configurations, enable features, install the SuiteApp, and create Access Tokens.
- Tropic Account Owner Role – Ensures full control over the integration setup within Tropic.
Required Permissions & Roles
Administrator privileges allow you to perform key actions such as:
- Downloading and installing the SuiteApp.
- Enabling necessary features.
- Creating users and generating Access Tokens required for the integration.
Permissions Reference
The following table lists the permissions required for Tropic’s NetSuite integration:
| Type | Permission | Level for transaction capabilities | Level for purchase order capabilities |
|---|---|---|---|
| Transactions | Access Payment Audit Log | View | |
| Bill Purchase Orders | View | ||
| Bills | View | ||
| Check | View | ||
| Enter Vendor Credits | View | ||
| Expense Report | View | ||
| Finance Charge | View | ||
| Find Transaction | View | ||
| Item Receipt | View | ||
| Make Journal Entry | View | ||
| Pay Bills | View | ||
| Pay Sales Tax | View | ||
| Post Vendor Bill Variances | View | ||
| Posting Period on Transactions | View | ||
| Purchase Order | View | Create | |
| System Journal | View | ||
| Vendor Bill Approval | View | ||
| Vendor Payment Approval | View | ||
| View Payment Events | View | ||
| Reports | SuiteAnalytics Workbook | Edit | |
| Lists | Accounts | View | View |
| Classes | View | ||
| Companies | View | ||
| Currency | View | View | |
| Departments | View | View | |
| Items | View | ||
| Subsidiaries | View | View | |
| Vendors | View | View | |
| Setup | Accounting Lists | View | |
| Deleted Records | View | ||
| Log in using Access Tokens | Full | Full | |
| Other Lists | View | ||
| REST Web Services | Full | Full | |
| SOAP Web Services | Full | Full |
Should I Use an Integration User or a Named Employee?
It is strongly recommended to use a dedicated integration user for the integration. This reduces disruptions if an employee leaves the organization, ensuring the integration remains stable without needing reconfiguration.
| User Type | Implications |
| Named Employee | If the employee leaves, the integration must be reconfigured. |
| Dedicated Integration User | The integration remains stable regardless of personnel changes. |
Choosing the Right Integration Role
Selecting the correct role ensures the integration functions as expected while limiting unnecessary access.
| Role | When to Choose It |
| Tropic Spend Management Integration | If you do not plan to sync departments or employees. |
| Tropic Spend Mgmt. & HRIS Integration | If you want to sync department structures and employees. |
| Tropic Spend Mgmt., HRIS & PO Integration | If you also need to integrate Purchase Orders. |
Need to enable Purchase Orders later?
You can switch to the Tropic Spend Mgmt., HRIS & PO Integration role after your initial setup. To do so, assign the role in NetSuite, create a new Access Token using that role, and reconnect the integration in Tropic using the updated credentials. See steps in the Setup the NetSuite Integration article
Data Access and Security
Tropic follows the principle of least privilege, meaning we limit access to only what is necessary for the integration to function.
During setup, you can customize configurations, including:
- Selecting which Subsidiaries and GL accounts Tropic can access.
- Defining the scope of integration to control data sharing.
📌 Tropic can also pull in custom fields in the descriptions to help with transaction matching.
Frequently Asked Questions (FAQ)
Q: Do we have control over what information is shared?
A: Yes. You can customize which Subsidiaries and GL accounts are accessible during the setup process. Tropic only reads the data necessary for integration.
Q: What happens if the user associated with the integration leaves the organization?
A: If the user is deactivated in NetSuite, the integration will stop working and must be reconfigured. Using a dedicated integration user prevents this issue.
Q: Can I edit the subsidiaries and accounts I previously selected?
A: Yes, you can update these selections in Settings > Integrations > NetSuite within Tropic.
Q: What permissions are required to manage the integration after setup?
A: After setup, you must retain Administrator access in NetSuite or assign a user with the appropriate Tropic role to manage the integration settings and troubleshooting.
Q: Can I switch the integration user after setup?
A: Yes, but you will need to:
-
Assign the correct Tropic role to the new user in NetSuite.
-
Generate a new Access Token in NetSuite for the new user.
-
Update the integration settings in Tropic by entering the new Token ID and Token Secret.
This ensures that the integration continues to function with the new user’s credentials.
Q: How do I verify that my assigned role has the correct permissions?
A: You can check this in NetSuite by navigating to Setup > Users/Roles > Manage Roles and reviewing the permissions associated with your assigned role.
For detailed setup instructions, see the How to Set Up NetSuite Integration in Tropic article.
For Troubleshooting guide, please visit the NetSuite Integration Troubleshooting article.