For enhanced security, NetSuite requires two-factor authentication (2FA) for all Administrator and other highly privileged roles when logging to any NetSuite account. This requirement includes UI access to production, sandbox, development, and Release Preview accounts. The Administrator and highly privileged roles are designated as 2FA authentication required by default, and this requirement cannot be removed. Certain highly privileged permissions mandate that a role be 2FA required by default. Any standard or customized roles that include these permissions are indicated in theMandatory 2FA column on the Two-Factor Authentication Roles page. For more information about highly privileged roles, seePermissions Requiring Two-Factor Authentication (2FA).
The mandatory 2FA requirement also applies to all non-UI access. Non–UI access means access NetSuite through an Application Programming Interface, or API. SuiteTalk (web services) and RESTlets are two examples of non–UI access to NetSuite. 2FA-required roles employing user credentials for API authentication will fail.
FAQ: Updates for Mandatory 2FA
See the following for more information about mandatory 2FA in your NetSuite account.
What could be affected in my account by the mandatory 2FA requirement?
Why do I need to update integrations and RESTlets?
What kind of updates do I need to make?
How do I update my web services integrations and RESTlets?
How do I change my Inbound SSO solution?
What is wrong with user credentials in my integrations?
I do not own the code for my integration, I cannot modify it. What should I do?
What is a highly privileged role?
What is the principle of least privilege?
Is SuiteAnalytics Connect access (ODBC or JDBC or ADO.NET) affected by mandatory 2FA?
What could be affected in my account by the mandatory 2FA requirement?
Integrations and RESTlets that employ user credentials to access NetSuite might be affected by this change, particularly in the following situations:
NLAuth for RESTlets. SeeUsing User Credentials for RESTlet Authentication for more information.
SuiteTalk (web services) integrations that use the login operation. Seelogin for more information.
SuiteTalk (web services) integrations that use the passport element sent as Request Level Credentials (RLC). SeeRequest-Level Credentials for more information.
Inbound SSO integrations that use the mapSso operation. SeemapSso for more information.
Important
In your integrations, you might need to use certain functions that require a highly privileged role. We recommend that you transition these integrations to use token-based authentication (TBA) rather than user credentials, or specify a less-privileged role that does not require 2FA. For more information, seeToken-based Authentication (TBA). For information about using TBA with your integrations, seeIntegration Management.
Why do I need to update integrations and RESTlets?
You must make changes if you are using roles that require two-factor authentication (2FA) and employ user credentials with your RESTlets (NLAuth) or in your web services integrations.
As of 2018.2, 2FA is mandatory for Administrator and other roles with highly privileged permission for access to the NetSuite UI in all existing NetSuite accounts. The mandatory 2FA requirement also applies to API authentication (non-UI access) to NetSuite. 2FA-required roles employing user credentials for API authentication will fail.
Transition to Token-based Authentication (TBA)
Transition your RESTlets that use NLAuth to TBA. TBA uses OAuth instead of NLAuth. SeeAuthentication for RESTlets andRequired Data for Using TBA with RESTlets.
Transition your SuiteTalk (web services) integrations that employ thelogin operation, and those that use the passport element sent as Request Level Credentials (RLC) to use TBA. For information about using TBA with your integrations, seeIntegration Management.
What kind of updates do I need to make?
You should begin updating your RESTlet and web services integrations as soon as possible. You have two alternatives for your RESTlet and web services integrations:
Change your integrations so that they do not use highly privileged roles by following the best practice “principle of least privilege”. Avoid using the Administrator role or any of the other highly privileged roles listed inPermissions Requiring Two-Factor Authentication (2FA). For more information on constructing roles, seeCustomizing or Creating NetSuite Roles.
If an integration must use a highly privileged role, change the authentication method from user credentials to token-based authentication (TBA). SeeUpdating an Integration to Send Token-Based Authentication Details. See alsoUsing TBA for RESTlet Authentication (OAuth). For general information about the TBA feature, seeToken-based Authentication (TBA).
How do I update my web services integrations and RESTlets?
You must update the third-party application and the related integration record in NetSuite. Suggestions for updating your integrations and RESTlets follow:
Modify Roles: avoid using highly privileged roles that require 2FA
SeePermissions Requiring Two-Factor Authentication (2FA) for a list of highly privileged roles in NetSuite. If you are using an Administrator role, or any other highly-privileged role, create a new role that has only the permissions required to complete the task. Ensure that the new role does not require 2FA.
Customize a standard NetSuite role, and remove unnecessary privileges from that customized role. Ensure that the customized role does not require 2FA.
Transition to Token-based Authentication (TBA)
If you use RESTlets: change your integration to use TBA. TBA uses OAuth instead of NLAuth. SeeAuthentication for RESTlets andRequired Data for Using TBA with RESTlets.
If you use SuiteTalk (web services): change your integration to use TBA. For information about using TBA with your integrations, seeIntegration Management.
How do I change my Inbound SSO solution?
If you are using the NetSuite version of Inbound Single Sign-on (SSO), it is probable that you use the mapSso operation to create mappings. ThemapSso operation employs user credentials. The Administrator role is required to create the initial mapping, so that all other users can create their own mappings for Inbound SSO access. For more information, seeCreating the Initial Mapping of the Administrator Role for Inbound Single Sign-on.
The mandatory 2FA requirement will affect API (that is, non-UI) access to NetSuite. You should start updating your Inbound SSO now. 2FA authentication required roles employing user credentials for API authentication will fail.
All existing Inbound SSO mappings will continue to work. However, if you need to create a new mapping for a 2FA required role, you have several alternatives.
A preferable solution is to switch from Inbound SSO toToken-based Authentication (TBA). We urge you to consider using less-privileged roles along with TBA.
If you must create the initial mapping of an Administrator role in a new account:
Create the mapping manually. Do not use the mapSso operation, it will not work when mandatory 2FA is enabled.
Or:
Make the mapping part of the application, redirecting a user to NetSuite with a token. This option requires some development effort. For more information, seeCreating the Initial Mapping of the Administrator Role for Inbound Single Sign-on.
For creating mappings for all other (non-administrator) roles:
Consider using less privileged roles that do not require 2FA, and use the mapSso operation. The mapSso operation will work for mapping these less-privileged roles.
If a non-privileged role is not an option, and Inbound SSO is still desired, follow the instructions for creating the mapping for an administrator role above (create the mapping manually, or make the mapping part of the application.)
What is wrong with user credentials in my integrations?
You should use tokens for authentication (token-based authentication, or TBA) instead of user credentials (a username and password) with web services and RESTlets. Why? Passwords expire, but tokens do not, which makes tokens better than passwords for computer-to-computer communications. Update your integrations to use Token-based Authentication (TBA) instead of user credentials.
I do not own the code for my integration, I cannot modify it. What should I do?
It is possible that you might not be able to modify an integration, for example, if your integration was provided by a partner or a third-party provider. If this is the case, contact the partner or third-party who provided the integration, and request that they make the appropriate changes.
What is a highly privileged role?
Highly privileged roles are the Administrator or other highly privileged role, or any of the roles listed inPermissions Requiring Two-Factor Authentication (2FA). Avoid using these roles with your integrations or RESTlets.
What is the principle of least privilege?
When you create a web service (an integration), you associate a role with that integration. Sometimes the task requires a highly privileged role, sometimes not. The principle of least privilege means you should use a role with the lowest possible privilege that will get the job done. Do not use Administrator role or any other highly privileged role for an integration unless it is absolutely necessary.
Is SuiteAnalytics Connect access (ODBC or JDBC or ADO.NET) affected by mandatory 2FA?
No. SuiteAnalytics Connect access is not subject to the mandatory 2FA requirement.
Are Suitelets or Scheduled Scripts set to have Administrator or Full Access on the "Execute As Role" field affected?
No. The mandatory 2FA requirement is applied only to the authentication process.
网友评论