Oracle NetSuite - Troubleshooting
While configuring or extracting data from your Oracle NetSuite connection, you may encounter permission-related errors. The most common one is caused by the NetSuite role missing the permissions required to use the REST API. This guide explains the error and how to resolve it.
Connection and permission issues
Error: Your current role does not have permission to perform this action (USER_ERROR)
Error message:
NetSuite bad request error: 400
"detail": "Your current role does not have permission to perform this action."
"o:errorCode": "USER_ERROR"
What this means
NetSuite returns this error when your token signature is accepted, but the role bound to the token is not allowed to use the REST API at all. This is a transport-layer rejection that happens before NetSuite checks any record-level permissions (Items, Customers, and so on), so it does not name a specific record - it means the role cannot get into REST in the first place.
The most common cause is a missing login permission on the role.
Recommended Solution
Step 1. Enable the required features at the account level. Go to Setup > Company > Enable Features and make sure these are on:
- REST Web Services (SuiteCloud > SuiteTalk)
- OAuth 2.0 and/or Token-Based Authentication (SuiteCloud > Manage Authentication), depending on the method you use
- SuiteAnalytics Workbook (Analytics)
Step 2. Grant the transport-layer permissions on the role. These enable REST itself and are the usual cause of the error. Add the login permission that matches your authentication method:
| Permission | Subtab | Level | Why |
|---|---|---|---|
| Log in using OAuth 2.0 Access Tokens (for OAuth 2.0) or Log in using Access Tokens (for Token-Based Authentication) | Setup | Full | Authorizes REST calls. This is the most common missing permission - add the one matching your authentication method. |
| REST Web Services | Setup | Full | Access to /services/rest/... endpoints. |
| SuiteAnalytics Workbook | Reports | Edit | NetSuite requires this for REST Web Services to function, even though Improvado does not use Workbook itself. |
| User Access Tokens (Token-Based Authentication only) | Setup | Full | Lets you create and manage access tokens in the NetSuite UI. |
Note: Log in using Access Tokens is different from User Access Tokens. The first authorizes REST calls signed with a token; the second only controls who can manage tokens in the UI. The first is the one most often missing.
Step 3. Grant read access to the records you want to extract. Improvado is read-only, so View level is enough:
| Report type | NetSuite permission | Subtab |
|---|---|---|
| accounts_entity | Accounts | Lists |
| classifications_entity | Classes | Lists |
| contacts_entity | Contacts | Lists |
| departments_entity | Departments | Lists |
| counterparty_entity / entities_entity | Customers, Vendors, Partners, Employees | Lists |
| items_entity | Items | Lists |
| transactions_entity / transaction_lines_entity / transaction_accounting_lines_entity | Each transaction subtype individually (there is no umbrella Transactions permission in NetSuite REST) | Transactions |
For the transaction reports, NetSuite requires a separate permission per transaction subtype. Grant only the subtypes you want Improvado to pull - records you do not have access to are simply skipped.
| Transaction subtype | NetSuite permission |
|---|---|
| Sales Order | Transactions > Sales Order |
| Invoice | Transactions > Invoice |
| Customer Payment | Transactions > Customer Payment |
| Credit Memo | Transactions > Credit Memo |
| Journal Entry | Transactions > Make Journal Entry |
| Vendor Bill | Transactions > Bills |
| Purchase Order | Transactions > Purchase Order |
Step 4. Apply the changes. Save the role. If you use Token-Based Authentication, regenerate the access token - existing tokens do not pick up new permissions. If you use OAuth 2.0, re-authorize the connection in Improvado. Then retry the connection.
If the connection still fails, NetSuite's response will name the specific permission keyword that is blocking it - share the new error text with us and we will pinpoint the remaining one.
Verify required permissions in NetSuite directly
NetSuite's Records Catalog shows the exact permissions each REST record needs, version-current:
- Path: Setup > Records Catalog (requires the Records Catalog permission on the Setup subtab).
- URL: https://system.netsuite.com/app/recordscatalog/rcbrowser.nl
If none of the provided solutions worked, feel free to raise a request via the Service Desk.
Was this article helpful?
Thanks for the feedback!