Stats

Actions

Tags

Help us improve

Share bugs, ideas, or general feedback.

netsuite-identity-access-role-permission-skill |…

Skill

netsuite-identity-access-role-permission-skill

From vanguard-frontier-agentic

Static reviews NetSuite role configurations, permission assignments, and Segregation-of-Duties design. Validates custom roles against standard baselines, resolves SDF permission codes, and flags SoD conflicts.

$

npx claudepluginhub raishin/vanguard-frontier-agentic --plugin vanguard-frontier-agentic

Popularity

Stars

16

Forks

1

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/vanguard-frontier-agentic:netsuite-identity-access-role-permission-skill

User invocable

Model invocable

Inline context

Default effort

Tool Access

This skill is limited to the following tools:

ReadGrepGlob

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Role structure, permission levels, and SoD conflict detection in NetSuite. Covers standard role baselines, custom role derivation, permission catalog lookup against the 684-code SDF catalog, and multi-role SoD conflict matrices. T0 static review — no NetSuite account connection required; output is a draft for human review.

Supporting Files

metadata.jsonreferences/least-privilege.mdreferences/official-sources.mdreferences/release-drift.mdreferences/safety-checklist.mdreferences/sod-conflict-matrix.md

SKILL.md

87 lines · ~1.5k tokens

Similar Skills

netsuite-sdf-roles-and-permissions

284

Resolves NetSuite SDF permission configurations: customrole XML, permkey/permlevel values, script deployment permissions, and least-privilege role design. Validates against bundled reference data.

2 files

netsuite-suitecloud

netsuite-audit-controls-sox-skill

16

Audits NetSuite financial controls for SOX compliance: SoD analysis, posting periods, revenue recognition, approval workflows, audit trails.

6 files3 tools

vanguard-frontier-agentic

role-validate

352

Validates 1C (Enterprise) role Rights.xml: XML format, namespace, global flags, object types, permission names, RLS constraints, and templates. Optionally checks role metadata (UUID, name, synonym).

2 tools

Stats

LanguagePython

Stars16

Forks1

MaintenanceExcellent

Last CommitJun 11, 2026

Actions

View Source View Plugin View on GitHub View README

Tags

permission-audit

segregation-of-duties

Help us improve

Share bugs, ideas, or general feedback.

NetSuite Identity Access Role Permission Skill

Purpose

Role structure, permission levels, and SoD conflict detection in NetSuite. Covers standard role baselines, custom role derivation, permission catalog lookup against the 684-code SDF catalog, and multi-role SoD conflict matrices. T0 static review — no NetSuite account connection required; output is a draft for human review.

When This Skill Owns the Task

User needs a role configuration reviewed for over-permission or SoD conflicts
SDF customrole XML export needs permission-level validation against the 684-code catalog
Custom role derivation from a standard role must be verified
Integration record or script run-as role needs least-privilege assessment
2FA designation coverage for privileged roles needs an audit

Recommended Workflow

Step 1 — Collect sanitized role export or SDF customrole XML; confirm no credentials or token values are present
Step 2 — Identify the standard role baseline the custom role was copied from; flag if copied from Administrator or created blank
Step 3 — Resolve each permkey against the netsuite-sdf-roles-and-permissions catalog (684 codes); label unknowns [UNVERIFIED]
Step 4 — Apply SoD conflict matrix: flag any role combining initiating and approving functions on the same transaction type
Step 5 — Map permissions triggering mandatory 2FA (evidence 5c); flag any such role missing 2FA designation
Step 6 — Rate every finding Critical / High / Medium / Low / Unknown; emit structured report with remediation guidance and escalation triggers

Evidence Hierarchy

LIVE_EVIDENCE > REPOSITORY_EVIDENCE > USER_PROVIDED > OFFICIAL_DOCUMENTATION > INFERENCE > UNVERIFIED > BLOCKED

Safety Checklist

No credentials, tokens, or client secrets in the submitted configuration excerpt
Role analysis is read-only — no account changes are recommended without human review
Every permission recommendation cites an evidence row or the Oracle SDF permission catalog
Administrator role is never recommended for any purpose
SoD findings are rated and routed to a named human decision owner before remediation

Rules — Hard-Stop Constraints

Static review only; never connect to a live NetSuite account or invoke APIs/SuiteScript/SDF.
Never request or accept credentials, tokens, or secrets.
Never depend on the Administrator role; recommend least-privilege custom roles (note 2FA).
Prefer OAuth 2.0 (REST/RESTlets/SuiteAnalytics Connect) over SOAP; treat SOAP as a migration risk.
Never claim a Coming-Soon certification is available.

Refusal Triggers

Request includes or asks for user passwords, access tokens, TBA token values, OAuth client secrets, or session cookies
Request asks the agent to act as or assume Administrator role
Request asks to perform a live role assignment, permission edit, or user account modification — escalate to netsuite-live-org-mutation-guard-agent
Coming-soon cert (AI Specialist, AI Professional) claimed as available for role alignment context
Request asks to generate TBA tokens, OAuth authorization codes, or integration credentials
Scope creep: authentication mechanism design questions belong to netsuite-sso-oauth-tba-agent

T0 Contract

No account connection, no OAuth, no secrets. Output is draft review text for a human owner.

Security Notes

Static review only — works from sanitized configuration excerpts and never requests credentials, tokens, client secrets, or user PII. Never assumes or recommends Administrator role. Every permission recommendation cites official evidence. Does not perform live role assignments or account mutations.

Reference File Index

official-sources.md — Oracle/NetSuite official documentation URLs for roles, permissions, and 2FA requirements
safety-checklist.md — Pre-submission checklist for sanitizing role exports before analysis
least-privilege.md — Custom role design guide: standard role baselines, permkey conventions, SoD matrix
release-drift.md — Tracks SOAP/TBA deprecation milestones relevant to integration-record role design
sod-conflict-matrix.md — Reference conflict pairs for common NetSuite financial and administrative function combinations