Use SuiteScript to Mimic Advanced Permissions

These instructions help setup advanced permissions for disallowing users from accessing records.  For these to work the logged in user must already have permission to do what is being requested.  The script will then throw an error preventing the action if the user shouldn't have permission based on custom logic.

1. Create a User Event script and deploy to records that require permissions (or all records).
2. Create a BEFORE LOAD FUNCTION that checks custom condition and throws an error if they aren't met.  This will prevent the record from being loaded.

Example script deployed on all records preventing user with the role Engineer (internal id 32) from editing sales orders with class id 3:
function beforeLoadPermissionCheck(type, form) { //Get the logged in user var currentUser = nlapiLoadRecord('employee', nlapiGetUser()); var recordType = nlapiGetRecordType(); var currentRecord = nlapiLoadRecord(recordType, nlapiGetRecordId()); //custom logic here if(currentUser.getFieldValue('role') == 32) if(recordType == 'salesorder') if(type=='edit') { if(currentRecord.getFieldValue('class') == 3) { throwCustError(recordType,'Edit'); } } } }}//Example using record type as code and user + action as detailsfunction throwCustError(code,details) { var err = nlapiCreateError(code+' Adv Permission Violation (Script)', 'Employee ID:'+nlapiGetUser()+' failed to '+details+' record.', false); throw err; return;}

Notes:

• nlapiGetContext().getExecutionContext() can be used to have permission apply only in specific contexts (eg Web Store, Web Services, CSV imports or inline editing)
• Can be used in very dynamic ways.  An example using roles, context and datetime might be that Employees with the role Sales Person can only do CSV imports of Sales Order records from 9AM-5PM Monday-Friday and can't edit invoice records.  Another example would be to prevent inline editing of a customer record for a specific customer.

It is also possible to do this so that a custom record is used to store permissions.  This way they can be modified without scripting.  This requires knowing what fields will be used for permissions.

1. Customization > Lists, Records, & Fields > Lists > New

• Name list Permission Levels
• Add values for permission levels (edit, view, create, full)
• Save

2. Customization > Lists, Records, & Fields > Record Types > New

A.

• Name the record Advanced Permissions
• Set permission on the record so that only employees who should be able to change permissions can access the custom record
• Save
• Create a field called Record of type List/Record and set the List/Record to Record Type
• Save
• Create a field called Level of type List/Record and set the List/Record to the list from step 1 (Permission Levels)

B.

• Create a field(s) for custom permission (Eg class, department, date, context, restrict) and then select the appropriate field type
• Save

3. Modify script to search custom record using the record type, permission level (passed as type in the function) and any custom criteria from step 2b
4. Substitute values in simple script above with variables taken from the search
 

Note: The fields in step 2B can be designed so that they refer to a field on the record being accessed or the user accessed as long as the script is coded to do so

Creating permissions this way is not intended to replace default NetSuite permissions and logical errors made while customizing the script could potentially cause users to access things not intended if the script doesn't work correctly.