Configuring Provisioning for NetSuite


This guide provides the steps required to configure Provisioning for NetSuite and includes the following topics:


The following provisioning features are supported:

Netsuite-specific features:


Note: If you already have set up the NetSuite application with Admin Username and Admin password authentication, your existing settings will continue to work. However if you need to change any provisioning settings, you need to switch to Token Based authentication.

Complete the following before you configure provisioning for NetSuite:

Configure NetSuite

  1. Enable the Web Services feature (the NetSuite web services feature needs to be enabled prior to submitting web services requests):

    • Log in to NetSuite as an administrator.

    • Go to Setup > Company > Enable Features.

    • Select the SuiteCloud subtab.


    • Select the Manage Authentication section.

    • Check TOKEN-BASED AUTHENTICATION (click I Agree on the SuiteCloud Terms of Service page if needed).

      enable features

    • Click Save.

  2. Obtain your Account ID:

    • Still logged into NetSuite as an administrator.

    • Go to Setup > Integration > Web Services Preferences.

    • Copy and save your Account ID.


  3. Set Up Token-Based Authentication (TBA): (Setting Up Token-based Authentication Roles)

    Note: You require a NetSuite account to access NetSuite links referenced in this document.

    • Go to Setup > Users/Roles > Manage Roles.

    • Create a new role.

    • In the Subsidiary Restrictions section, select all available SUBSIDIARIES:


    • Add the following permissions to this role:

      add permissions

  4. Assign a User to the Token-based Authentication Role:

    • Navigate to Lists > Employees > Employees.

    • Click Edit next to the name of the employee you want to assign the token-based authentication role.

    • Click the Access tab.

    • In the Role field, select the token-based authentication role for this employee.

    • Click Add.

    • Click Save.


  5. Create an Application for Token-based Authentication:

    • Navigate to Setup > Integration > Integration Management > Manage Integrations > New.

    • Enter a Name for your application.

    • The application State is Enabled by default. (The other option available for selection is Blocked).

    • Check the Token-based Authentication box on the Authentication tab.

    • netsuite_prov_new5.png

    • Click Save. The confirmation page displays the Consumer Key and the Consumer Secret for this application.

    • Important:

      For security reasons, the only time the Consumer Key and the Consumer Secret values are displayed is on this confirmation page.

      After you leave this page, these values cannot be retrieved from the system.

      If you lose or forget these credentials, you will need to reset them to obtain new values.

  6. Create a TBA Token and save your Token Id and Token Secret:

    • Log in as a user with the Access Token Management permissions.

    • Go to Setup > Users/Roles > Access Tokens > New.

    • The Access Token page displays.

    • On the Access Token page:

      • Select the Application Name.

      • Select the User.

      • Select the Role.

      • The Token Name is already populated by default with a concatenation of Application Name, User, and Role. Enter your own name for this token, if desired.

      • Click Save.

        The confirmation page displays the Token ID and Token Secret.

Configuration Steps

  1. Configure your Provisioning settings for NetSuite as follows:

    • Check Enable API Integration.

    • Enter your NetSuite API Credentials:

      • Admin Account ID.

      • Consumer Key.

      • Consumer Secret.

      • Token ID.

      • Token Secret.


    • If you have configured Netsuite with Admin username and Password authentication, your API integration will look slightly different, as shown here:


      In this case in order to switch to token based-authentication authentication, enter the following NetSuite credentials:

      • Consumer Key

      • Consumer Secret

      • Token ID

      • Token Secret

      Once set, you can proceed. It's up to you to leave or clean admin credentials fields. Okta will use token based authentication whenever tokens are provided.

  2. Select To App in the left panel, then select the Provisioning Features you want to enable, then click Save.

  3. You can now assign people to the app (if needed) and finish the application setup.

  4. User Provisioning Notes:

    • Okta only supports managing Employees.

    • If you have the UD features enabled, Okta offers the added functionality to set the Employee's Supervisor attribute. This attribute can only be set for users who are imported into Okta from Active Directory. The Employee's Supervisor attribute maps to the supervisor's User ID in NetSuite.

    • If you are setting up NetSuite as source, inactive users and users with insufficient access levels in NetSuite will be deactivated in Okta if you have the following provisioning options enabled in Okta:

      • Do not import inactive users

      • Do not import users without access

    • If you already have set up NetSuite application with Admin Username and Admin password authentication, your existing settings will still work. However if you need to change any provisioning settings, you will have to switch to Token-Based authentication.

Schema Discovery

NetSuite supports User's Schema Discovery, so you can add some extra attributes to User's Profile, to do that, follow the instructions below:

Supported Custom Entity Fields

Before you begin, note that the following Custom Entity fields are supported:

To add extra attributes to a User’s Profile:

  1. Ensure you have selected EMPLOYEE in the Applies To section on the NetSuite side for the Custom Entity field you want to use.


  2. In Okta, from the Admin dashboard, select Directory > Profile Editor.

  3. Select the APPS section in the left navigation bar, then find your app in the list.

  4. Check the list of attributes, and if you decide you need more, click Add Attribute. A list of extended attributes will appear:


  5. Select the attributes you want to add, then click Save.

  6. You can now import and push these user attribute values to/from NetSuite.

Migration Flow (Legacy to UD Version)

  1. Disable the Update User Attributes provisioning feature in Provisioning options. This must be done in order to prevent mass de-provisioning from NetSuite once your instance is upgraded to the latest user profile.

  2. “netsuite_newx.png"

  3. Contact OKTA Support to migrate your AppUser profile to the latest version.

    Note: Keep a screenshot of your current mappings before the migrating the AppUser profile. This helps ensure that any existing mappings have not been tampered with.

  4. Re-authenticate your NetSuite application instance using Token Based Authentication (see instructions earlier in this document).

  5. Perform a user import by clicking the Import Now button from the import tab of NetSuite application. Once completed this import overwrites Give access values for all assigned users with the correct value.


  6. Ensure users were populated with correct data and that the given access value is set to true for all users who should remain provisioned in Netsuite.

  7. Enable the Update User Attributes provisioning feature in Provisioning options that you disabled in step 1. Note that in case of many users, it is possible you may experience rate limit errors and may need to retry failed updates.


Troubleshooting Tips