Data Extraction Guide
for Oracle NetSuite
Step-by-step instructions for your IT team to extract the required data files from NetSuite via SuiteQL REST API or manual export for the AuditCore security and controls assessment.
Extract-AuditCoreNetSuite.ps1 which uses the SuiteQL REST API to extract all 20 files automatically. No additional PowerShell modules are required — it uses pure .NET HttpClient. See Section 2.| Requirement | Details | Notes |
|---|---|---|
| NetSuite Role | Administrator or Full Access | Required for system notes, audit trail, and cross-subsidiary queries |
| Token-Based Auth (TBA) | ConsumerKey, ConsumerSecret, TokenId, TokenSecret | Setup → Integrations → Manage Authentication → Token-Based Authentication |
| SuiteQL Feature | Enabled in Company Preferences | Setup → Company → Enable Features → SuiteCloud → SuiteQL |
| Account ID | Numeric or alphanumeric (e.g. 123456 or 123456-sb1) | Setup → Company → Company Information → Account ID |
All files are CSV format. The PowerShell script produces these exact filenames.
User Accounts
All NetSuite users: status, admin flag, department, 2FA status, IP restriction, subsidiary access, last login date
Role Assignments
User ↔ role mappings with subsidiary scope and assigned date
Role Permissions
Per-role permission set: permission ID, name, and level (Full/Edit/View/Create)
Subsidiaries
Subsidiary hierarchy: name, country, currency, parent, elimination flag
Login Audit Log
All login attempts (last 90 days): user, IP address, status (Success/Failure), failure reason
System Notes / Change Log
Audit trail of changes to key records: vendor bank changes, user deletions, bulk operations
Account Preferences
System-level security settings: session timeout, HTTPS enforcement, 2FA requirement, IP rules, release preview
Accounting Periods
Period definitions: name, start/end dates, type (Month/Quarter/Year), open/closed status
Journal Entries
Manual journals (last 90 days): amount, created by, approved by, period, status
Transactions (AP/AR)
AP bills and payments (last 90 days): type, amount, vendor, created by, status
Vendor Master
All vendors: name, tax ID, bank account (masked), payment method, last modified by and date
Payment Transactions
Payment records (last 90 days): amount, vendor, created by, approved by, payment method
Approval History
All approval workflow events: record type, submitted by, approved by, date, status
TBA Integration Tokens
All TBA tokens: application name, linked user/role, permissions, created date, last used
OAuth 2.0 Tokens
OAuth client credentials: client ID, scope, issued date, last rotated, expiry
Script Deployments
RESTlet/SuiteScript deployments: name, execute-as role, audience (all roles vs. specific), status
Scheduled Scripts
Scheduled SuiteScript jobs: name, execute-as role, frequency, last run date, status
Saved Searches
Public/private saved searches: name, creator, access level, record type, PII content flag
Custom Field Definitions
Custom record fields: name, type, applies to, PII flag, access level
Password & Session Policy
Password complexity, expiry, session timeout, HTTPS enforcement settings
Extract-AuditCoreNetSuite.ps1 uses the SuiteQL REST API with OAuth 1.0a Token-Based Authentication. No additional modules required — works on any Windows machine with PowerShell 5.1+.Step-by-step
- 1Enable SuiteQL: Setup → Company → Enable Features → SuiteCloud tab → check "SuiteQL". Save.
- 2Create TBA credentials: Setup → Integrations → Manage Authentication → Token-Based Authentication → New. Note the ConsumerKey, ConsumerSecret, TokenId, and TokenSecret (shown only once).
- 3Find your Account ID: Setup → Company → Company Information → Account ID (e.g.
1234567). - 4Download
Extract-AuditCoreNetSuite.ps1and run in PowerShell 5.1+:# Run with TBA credentials .\Extract-AuditCoreNetSuite.ps1 ` -AccountId "1234567" ` -ConsumerKey "your-consumer-key" ` -ConsumerSecret "your-consumer-secret" ` -TokenId "your-token-id" ` -TokenSecret "your-token-secret" - 5All 20 CSV files will be saved to
C:\AuditCore\NetSuite\. - 6Upload to AuditCore → New Audit → Oracle NetSuite → Bulk Upload.
Administrator role specifically for this extraction. Revoke the TBA token immediately after the assessment is complete. Do not reuse integration credentials across multiple applications.Use these paths if the PowerShell script is not permitted in your environment.
| File | Export Path in NetSuite | Notes |
|---|---|---|
users.csv | Setup → Users/Roles → Manage Users → Export | Include all active and inactive users |
role_assignments.csv | Setup → Users/Roles → View Roles → select each role → Members tab; or SuiteQL query | Requires Administrator role |
login_audit.csv | Setup → Accounting → Accounting Preferences → Login Audit Trail tab | Enable Login Audit Trail first if not active |
accounting_periods.csv | Setup → Accounting → Manage Accounting Periods → Export to CSV | Include all period types |
journal_entries.csv | Reports → Accounting → General Ledger → customize last 90 days → Export | Include CreatedBy and ApprovedBy columns |
vendors.csv | Lists → Relationships → Vendors → Export to CSV | Include bank account and modification fields |
payments.csv | Transactions → Payables → Pay Bills → search & Export | Filter last 90 days; include ApprovedBy |
integration_tokens.csv | Setup → Integrations → Manage Authentication → Token-Based Authentication | No native export — copy to CSV template |
saved_searches.csv | Reports → Saved Searches → All Saved Searches → Export | Include Public/Private flag |
account_preferences.csv | Setup → Company → General Preferences → manual transcription | Use provided CSV template |
- 1Log in to AuditCore and click New Audit.
- 2Enter an audit name (e.g. "Acme NetSuite — Q1 2026 Assessment") and select Oracle NetSuite.
- 3Switch to the Bulk Upload tab and drag in the
C:\AuditCore\NetSuite\folder or all 20 CSV files. - 4Verify the Match Summary shows files matched (green), then click Run Assessment.
- 5Results appear within 2 minutes — full findings, risk score, remediation guidance, and DOCX/PDF report export.
| Issue | Likely Cause | Resolution |
|---|---|---|
| "Invalid login attempt" on SuiteQL | TBA not enabled or wrong Account ID | Setup → Company → Enable Features → SuiteCloud → Token-Based Authentication. Confirm Account ID (not company name). |
| "You do not have permission" | TBA user role lacks SuiteQL access | Assign the Administrator or Full Access role to the TBA user |
| Empty users.csv | REST endpoint or Account ID incorrect | Verify Account ID format: numeric (e.g. 1234567) — found at Setup → Company → Company Information |
| login_audit.csv empty | Login Audit Trail not enabled | Setup → Accounting → Accounting Preferences → Login Audit Trail tab → Enable |
| Script returns 401 / signature error | OAuth 1.0a HMAC-SHA256 clock skew | Ensure your machine clock is accurate (OAuth signatures are time-sensitive, max 5 min drift). Sync via: w32tm /resync |
| SuiteQL returns 0 rows on audit tables | Insufficient role permissions | Administrator role required for SystemNotes and LoginAuditTrail tables |
| vendors.csv missing bank accounts | Banking permission not in role | Administrator or custom role with Transactions → Banking → Full permission required |