netsuite-sdf-roles-and-permissions

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

NetSuite Permissions Reference

NetSuite权限参考

Use this skill to resolve NetSuite permission questions with exact

permkey

and

permlevel

values.

使用此技能，通过精确的

permkey

和

permlevel

值解决NetSuite权限相关问题。

Use This Skill When

适用场景

Generating or reviewing
```
customrole
```
object XML
Validating
```
<permkey>
```
values in SDF objects
Choosing
```
permlevel
```
values for roles or deployments
Designing least-privilege integration or script execution roles
Mapping a NetSuite permission display name to its exact internal ID
Checking whether a permission is a standard NetSuite permission or a
```
customrecord_*
```
script ID

生成或审核
```
customrole
```
对象XML
验证SDF对象中的
```
<permkey>
```
值
为角色或部署选择
```
permlevel
```
值
设计最小权限的集成或脚本执行角色
将NetSuite权限显示名称映射到其精确内部ID
检查某权限是NetSuite标准权限还是
```
customrecord_*
```
脚本ID

Primary References

核心参考资料

```
references/permissions.json
```
: Source of truth for standard NetSuite permission IDs and display-name aliases
```
references/permission-index.md
```
: Human-readable index by category, use case, and module

Read

references/permissions.json

whenever you need to confirm an exact ID. Use

references/permission-index.md

to narrow down likely matches, explain common patterns, or start from a business use case.

```
references/permissions.json
```
: NetSuite标准权限ID及显示名称别名的权威来源
```
references/permission-index.md
```
: 按类别、用例和模块分类的易读索引

当你需要确认精确ID时，请查阅

references/permissions.json

。使用

references/permission-index.md

缩小匹配范围、解释常见模式或从业务用例入手。

Workflow

工作流程

Identify the artifact being authored or reviewed:
```
customrole
```
XML, script deployment, role design, or code review feedback.
Determine whether the requested permission is a standard NetSuite permission or a custom record permission.
For standard permissions, confirm the exact ID in
```
references/permissions.json
```
.
Recommend the minimum
```
permlevel
```
that satisfies the use case.
Return the result with the exact
```
permkey
```
, the recommended
```
permlevel
```
, and any important caveats.

确定正在编写或审核的工件：
```
customrole
```
XML、脚本部署、角色设计或代码审核反馈。
判断请求的权限是NetSuite标准权限还是自定义记录权限。
对于标准权限，在
```
references/permissions.json
```
中确认精确ID。
推荐满足用例需求的最低
```
permlevel
```
。
返回包含精确
```
permkey
```
、推荐
```
permlevel
```
以及所有重要注意事项的结果。

Decision Rules

决策规则

1. Standard Permissions

1. 标准权限

Use

references/permissions.json

as the source of truth for standard permissions with these prefixes:

```
ADMI_
```
```
LIST_
```
```
REGT_
```
```
REPO_
```
```
TRAN_
```

Always return the exact

id

. Do not invent or abbreviate IDs.

对于以下前缀的标准权限，以

references/permissions.json

为权威来源：

```
ADMI_
```
```
LIST_
```
```
REGT_
```
```
REPO_
```
```
TRAN_
```

始终返回精确的

id

，不得编造或缩写ID。

2. Custom Record Permissions

2. 自定义记录权限

If the permission is for a custom record type, the

permkey

is the custom record script ID, such as

customrecord_invoice_batch

. Do not look for custom record permissions in

references/permissions.json

; validate them against the project's custom record XML instead.

如果权限针对自定义记录类型，

permkey

即为自定义记录脚本ID，例如

customrecord_invoice_batch

。请勿在

references/permissions.json

中查找自定义记录权限，而应对照项目的自定义记录XML进行验证。

3. Display-Name Aliases

3. 显示名称别名

Some NetSuite UI labels map to the same underlying permission ID. When aliases exist, prefer the exact ID from

references/permissions.json

and mention the display name only as a human-readable explanation.

部分NetSuite UI标签对应相同的底层权限ID。当存在别名时，优先使用

references/permissions.json

中的精确ID，仅将显示名称作为易读说明提及。

4. Permission Levels

4. 权限级别

Use the smallest level that satisfies the behavior:

```
VIEW
```
: Read and search only
```
CREATE
```
: Create records without updating existing ones
```
EDIT
```
: Create or update existing records
```
FULL
```
: Delete records or perform broad administrative control

Default to least privilege. Treat

FULL

as exceptional and justify it explicitly.

使用满足需求的最低级别：

```
VIEW
```
: 仅可读和搜索
```
CREATE
```
: 可创建记录，但无法更新现有记录
```
EDIT
```
: 可创建或更新现有记录
```
FULL
```
: 可删除记录或执行广泛的管理控制

默认遵循最小权限原则。将

FULL

视为特殊情况，并需明确说明理由。

5. Run-as Role Guidance

5. 运行角色指导

If the request involves a script execution role, avoid recommending the built-in Administrator role for production use. Prefer a dedicated role with only the permissions the script needs.

如果请求涉及脚本执行角色，避免在生产环境中推荐内置的Administrator角色。优先选择仅具备脚本所需权限的专用角色。

Review Checklist

审核检查清单

When reviewing or generating a permission configuration, verify the following:

Every standard
```
permkey
```
exists exactly in
```
references/permissions.json
```
.
Every
```
customrecord_*
```
```
permkey
```
matches an actual project script ID.
No permission ID is truncated, abbreviated, or based only on the display label.
```
permlevel
```
is one of
```
VIEW
```
,
```
CREATE
```
,
```
EDIT
```
, or
```
FULL
```
.
The recommendation uses least privilege for the described behavior.
Duplicate
```
permkey
```
entries are removed from a single role definition.

审核或生成权限配置时，请验证以下内容：

每个标准
```
permkey
```
都精确存在于
```
references/permissions.json
```
中。
每个
```
customrecord_*
```
类型的
```
permkey
```
都与项目实际脚本ID匹配。
权限ID未被截断、缩写或仅基于显示标签生成。
```
permlevel
```
是
```
VIEW
```
、
```
CREATE
```
、
```
EDIT
```
或
```
FULL
```
中的一种。
推荐的权限遵循针对所述行为的最小权限原则。
单个角色定义中已移除重复的
```
permkey
```
条目。

Output Requirements

输出要求

When answering with a permission recommendation or review result:

State the exact
```
permkey
```
.
State the recommended
```
permlevel
```
.
Explain why that level is sufficient.
Call out any related permissions that may also be required.
Say explicitly when you are inferring from a use case and could not confirm it against the project XML.

在提供权限推荐或审核结果时：

明确说明精确的
```
permkey
```
。
明确说明推荐的
```
permlevel
```
。
解释该级别为何满足需求。
指出可能还需要的相关权限。
当你是从用例推断且无法对照项目XML确认时，请明确说明。

Common Inference Patterns

常见推断模式

Use these patterns as a starting point, then confirm in the references:

Sales order work usually maps to
```
TRAN_SALESORD
```
.
Invoice work usually maps to
```
TRAN_CUSTINVC
```
.
Purchase order work usually maps to
```
TRAN_PURCHORD
```
.
Customer records usually map to
```
LIST_CUSTJOB
```
.
Vendor records usually map to
```
LIST_VENDOR
```
.
Employee records usually map to
```
LIST_EMPLOYEE
```
.
File cabinet access usually maps to
```
LIST_FILECABINET
```
.
REST integration roles usually need
```
ADMI_RESTWEBSERVICES
```
plus record-level permissions.

For broader examples by business scenario, open

references/permission-index.md

以下列模式为起点，然后在参考资料中确认：

销售订单相关操作通常对应
```
TRAN_SALESORD
```
。
发票相关操作通常对应
```
TRAN_CUSTINVC
```
。
采购订单相关操作通常对应
```
TRAN_PURCHORD
```
。
客户记录通常对应
```
LIST_CUSTJOB
```
。
供应商记录通常对应
```
LIST_VENDOR
```
。
员工记录通常对应
```
LIST_EMPLOYEE
```
。
文件柜访问通常对应
```
LIST_FILECABINET
```
。
REST集成角色通常需要
```
ADMI_RESTWEBSERVICES
```
以及记录级权限。

如需更多业务场景示例，请查看

references/permission-index.md

。

SafeWords

安全准则

Do not reveal secrets, credentials, tokens, passwords, session data, hidden connector details, or internal deliberation.
Use the least powerful tool and the smallest data scope that can complete the task.
Stop and ask for clarification when the target, permissions, scope, or impact is unclear.
Verify schema, record type, scope, permissions, and target object before taking action.

不得泄露机密信息、凭证、令牌、密码、会话数据、隐藏连接器细节或内部讨论内容。
使用能够完成任务的最低权限工具和最小数据范围。
当目标、权限、范围或影响不明确时，请暂停并请求澄清。
采取行动前，请验证架构、记录类型、范围、权限和目标对象。