NetSuite Changelog
CommerceSecuritySuiteCommerceNew FeatureRelease NotesCustomization

Forbidden Access Control in NetSuite My Account Menu

Understand how access restrictions in the My Account application ensure user roles dictate feature visibility and prevent unauthorized access.

·2 min read·View Oracle Docs

The My Account application in NetSuite dynamically generates menus based on user permissions. Access to features is governed primarily by the roles assigned to each user, meaning that links to certain functionalities, such as Order History, will only appear if the user has the requisite permissions. This setup enhances security by preventing users from accessing restricted areas.

How Are Menus Generated?

Menues are generated differently for the header and account overview sections:

Header Menu

The header menu is constructed using the header_menu_myaccount.tpl template, which is responsible for rendering the menu based on user permissions. The HTML structure incorporates data-permissions attributes that specify which user permissions must be matched for the menu items to be visible.

Example of Header Menu HTML:

html
<a class="header-menu-myaccount-anchor-level3" href="#" data-touchpoint="customercenter" data-hashtag="#returns" data-permissions="transactions.tranFind.1,transactions.tranRtnAuth.1" name="returns">
   {{translate 'Returns'}}
</a>

In this snippet, the link to returns will only display if the logged-in user possesses the appropriate permissions.

Account Overview Menu

In contrast, the Account Overview menu is generated automatically upon loading the My Account application. The relevant modules return MenuItems objects that define each menu's entries.

Example of MenuItems Definition in JavaScript:

javascript
1MenuItems: {
2         parent: 'orders',
3         id: 'quotes',
4         name: _('Quotes').translate(),
5         url: 'quotes',
6         index: 5,
7         permission: 'transactions.tranFind.1,transactions.tranEstimate.1'
8}

Here, the 'Quotes' entries are only shown if the user has the necessary transaction permissions.

Managing Forbidden Access

Despite these permissions, users may attempt to access restricted pages directly. The application uses the ErrorManagement.ForbiddenError.View module to display an error message for unauthorized access. By default, this message reads:

"Sorry! You have no permission to view this page. Please contact the website administrator, click here to continue."

This error template can be customized to better fit the branding and communication needs of your web store.

Customization Considerations

When setting up permissions in the My Account application, ensure that:

  • The customer center role has the right permissions assigned to its users.
  • Test combinations of permissions to confirm they function as intended across different modules and features.

Who This Affects

  • Administrators: Responsible for managing user permissions.
  • Developers: Involved in customizing menu displays and error messages.
  • Accountants: May need to access specific financial information linked to their roles.

Key Takeaways

  • Menu visibility in My Account is controlled by user permissions.
  • Different templates manage headers and account overview menus.
  • Unauthorized access results in a default error message that can be customized.

Source: This article is based on Oracle's official NetSuite documentation.

Frequently Asked Questions (4)

How are user permissions applied to the My Account menu in NetSuite?
User permissions in NetSuite's My Account menu create a dynamic menu that displays links based on roles assigned to each user. This ensures only those with the appropriate permissions can access certain functionalities.
What happens if a user tries to directly access a restricted page in the My Account application?
If a user attempts to access a restricted page directly, the application displays an error message using the `ErrorManagement.ForbiddenError.View` module, notifying them of unauthorized access and suggesting they contact the website administrator.
Can the error message shown for unauthorized access be customized?
Yes, the error message displayed for unauthorized access in the My Account application can be customized to better align with the branding and communication needs of your web store.
Do I need to set permissions manually for both the header and account overview menus in My Account?
Yes, permissions need to be set correctly to ensure that both the header and account overview menus display the correct entries based on user roles. Each template uses `data-permissions` attributes to determine visibility.
Source: Forbidden Access Oracle NetSuite Help Center. This article was generated from official Oracle documentation and enriched with additional context and best practices.

Was this article helpful?

More in Commerce

View all Commerce articles →