When NetSuite’s release 2018.2 arrived, it came with mandatory 2-factor authentication for administrators. At SuiteWorld 2018, several developer sessions emphasized NOT using administrator accounts for SuiteTalk apps. Instead, customized roles should be created. In addition, NetSuite was really pushing token-based authentication. I spent time getting token-based working for RESTLets. However, at this point, I’m not even sure token-based authentication is available for SuiteTalk apps. So I made the decision to move my SuiteTalk app from an admin role to a customized role that would never require 2-factor authentication. This turned out to be much harder than I’d originally thought!

First, take note. There is a checkbox that limits your customized role to web services logins only. Probably a good idea!

Next, my SuiteTalk app synchronizes sales orders from a legacy system into the cloud where they are processed in NetSuite. At the time the sales order jumps to NetSuite, I set the estimated cost of sales order line items. This is not something we allow typical users to do.

When my SuiteTalk app ran under the admin role, it worked great. When I switched it to my new custom role, it failed.

My SuiteTalk app is written as a C# console application. Here is the error message I see in the log, “INSUFFICIENT PERMISSION.”

The error message told me my app was unable to update the item.costestimatetype. There are a couple of reasons I’ve seen that cause this message. First, the field is not present or not visible on the form. Be sure you know which form your SuiteTalk app is using. I force the form selection in my app. Here is where that’s done in code.

Then, edit the form and make sure the field is visible. For sales order line items, that is under the “Sublist Fields” subtab.

And finally, how the heck can I know what authority to give my new custom role so that it can update this field? This was the most perplexing and frustrating question of all!

After way too much experimentation, I stumbled onto this SuiteAnswers article, #9911.

This is where NetSuite hides the answer to almost every SuiteTalk developer’s question regarding security. It’s what I had been missing. I downloaded this spreadsheet and did a quick search on “Cost Estimate Type.”

Once I set this permission in my new custom role, my error message was gone and orders started synchronizing perfectly.

Hopefully, this article will save you time and make your transition from using an admin role to a customized “Web Services Only” role less painful that it was for me.