Skip to main content

Oracle NetSuite

Connector name

agtnetsuite

Connector type

Python script, agtnetsuite.py, and a scripted platform definition file, agtnetsuite.con, that associates the script with the Python connector (agtpython) to access Oracle NetSuite.

Type (UI field value)

Oracle NetSuite

Connector status / support

Bravura Security-Verified

This connector has been tested and is fully supported by Bravura Security.

Installation / setup

The NetSuite connector includes an agtnetsuite_requirements.txt file used to install the connector's Python requirements. To install the Python packages required by the agtnetsuite connector, run the following command from a command prompt in the agent directory:

py -m pip install -r agtnetsuite_requirements.txt

Bravura Security Fabric utilizes the agtpython connector to manage Oracle NetSuite employee accounts, roles, and related identity data. This connector uses NetSuite's REST API with OAuth 2.0 authentication for all operations.

The following Bravura Security Fabric operations are supported by the Oracle NetSuite connector:

  • get server information

  • list accounts

  • list attributes

  • list groups

  • list members

  • list account attributes

  • user change password

  • administrator reset password

  • check account enabled

  • enable account

  • disable account

  • create account

  • delete account

  • update attributes

  • rename account

For a full list and explanation of each connector operation, see connector operations.

Preparation

Before you can target Oracle NetSuite, you must:

  1. Set up NetSuite OAuth 2.0 authentication

  2. Install Python dependencies

  3. Configure the target system in Bravura Security Fabric.

Set up NetSuite OAuth 2.0 authentication

Create an integration record

You must create an integration record in NetSuite to enable OAuth 2.0 authentication:

  1. Navigate to Setup > Integration > Manage Integrations > New.

  2. Configure the integration:

    • Name: Bravura Security Fabric Integration

    • State: Enabled

    • OAuth 2.0: Checked

    • Authorization Code Grant: Unchecked

    • Client Credentials Grant: Checked

    • Scope: Select REST WEB SERVICES

  3. Save and note the Client ID and Client Secret.

Create service account

Create a dedicated service account in NetSuite with appropriate permissions:

  1. Navigate to Lists > Employees > Employees > New.

  2. Configure the employee:

    • Name: Bravura Service Account

    • Email: bravura-service@<yourdomain.com>

    • Give Access: Checked

    • Role: Administrator

  3. Save the employee record.

Generate and upload OAuth certificates

Generate a public/private key pair for OAuth 2.0 authentication:

Option 1: Standard RSA Certificate (Recommended)

# Generate private key
openssl genrsa -out netsuite_private.pem 4096

# Generate public certificate (valid for 1 year)
openssl req -new -x509 -key netsuite_private.pem -out netsuite_public.pem -days 365

Option 2: RSA Certificate with PSS Padding

# Generate private key and certificate in one command with PSS padding (valid for 1 year)
openssl req -new -x509 -newkey rsa:4096 -keyout netsuite_private.pem \
  -sigopt rsa_padding_mode:pss -sha256 -sigopt rsa_pss_saltlen:64 \
  -out netsuite_public.pem -nodes -days 365

Note

Both options work with NetSuite and create certificates valid for 1 year (365 days). Option 1 is simpler and uses standard RSA signatures. Option 2 uses PSS (Probabilistic Signature Scheme) padding, which provides additional security properties. Choose the option that matches your organization's security requirements.

Upload the certificate to NetSuite:

  1. In NetSuite, navigate to Setup > Integration > OAuth 2.0 Client Credentials (M2M) Setup.

  2. Click Create New.

  3. Configure the OAuth 2.0 Client Credentials:

    • APPLICATION: Select your integration (Bravura Security Fabric Integration).

    • ENTITY (USER): Select the service account (Bravura Service Account).

    • ROLE: Select the role assigned to the service account (Administrator).

    • CERTIFICATE: Click Choose File and upload netsuite_public.pem.

  4. Click Save.

  5. Note the CERTIFICATE ID that NetSuite assigns (displayed in the list after saving).

Important

Keep the private key file (netsuite_private.pem) secure and accessible to Bravura Security Fabric. You will need to specify its full path in the Bravura address attributes.

Targeting Oracle NetSuite

For each NetSuite system, add a target system in Bravura Security Fabric (Manage the system > Resources > Target systems):

Type is Oracle NetSuite

In the Type dropdown menu, Oracle NetSuite is located under the Customer Relationship Management Systems category.

Address uses options described in the table below:

Option

Description

URL

The NetSuite API server URL (e.g., suitetalk.api.netsuite.com)

Account ID

NetSuite account ID (e.g., 3456789_sb2 for sandbox, 3456789 for production). The account ID is case-sensitive and must match NetSuite's format exactly.

Client ID

OAuth 2.0 client ID from the NetSuite integration record (Consumer Key)

Certificate ID

Certificate ID assigned by NetSuite when you upload the public certificate

Private key

Full path to the private key file (e.g., C:\Program Files\Bravura Security\Bravura Security Fabric\certs\netsuite_private_key.pem)

Signature Algorithm

JWT signature algorithm (e.g., PS256 for RSA, ES256 for ECDSA). This field is located in the Advanced section of the target configuration.

The full list of target system parameters is explained in Target System Options .

Setting the administrator credentials

The NetSuite connector uses OAuth 2.0 with JWT bearer tokens for authentication. No traditional username/password credentials are required. The connector will automatically obtain and refresh access tokens using the configured address attributes (Client ID, Certificate ID, and Private Key).

Required: You must configure placeholder credentials to prevent warning messages:

  1. Navigate to the Credentials tab

  2. Set Administrator ID to: oauth

  3. Set Password to: not-used

These placeholder credentials are not validated or used by the connector, but are required to prevent warning messages about missing credentials. All authentication is handled through OAuth 2.0 using the address attributes configured above.

Handling account attributes

You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using the Manage the system (PSA) module. To do this, select Oracle NetSuite from the Manage the system > Resources > Account attributes > Target system type menu.

The following NetSuite attributes are automatically loaded and mapped to profile attributes by the connector:

  • First name (firstname)

  • Last name (lastname)

  • Email (email)

Additional supported NetSuite attributes that can be managed by Bravura Security Fabric:

Bravura Attribute

NetSuite Field

Type

Description

id

id

String

Employee internal ID (primary key)

email

email

String

Employee email address

entityid

entityId

String

Employee entity ID (username)

externalid

externalId

String

External system ID

firstname

firstName

String

First name

giveaccess

giveAccess

Boolean

Access enabled flag

isinactive

isInactive

Boolean

Inactive status flag

lastname

lastName

String

Last name

middlename

middleName

String

Middle name

supervisor

supervisor

String

Supervisor employee ID

title

title

String

Job title

department

department.name

String

Department name

subsidiary

subsidiary.name

String

Subsidiary name

Template accounts

Bravura Security Fabric uses template accounts as models or "blueprints" for creating new accounts in NetSuite. Template accounts define default settings and role assignments that will be copied to newly created accounts.

To create a template account:

  1. In NetSuite, navigate to Lists > Employees > Employees > New.

  2. Create an employee record with the desired default attributes.

  3. Configure the employee with standard role assignments.

    Important

    • The template account must have at least one role assigned.

    • The template account must be active (not marked as inactive).

  4. Save the employee record.

Account creation process

When Bravura Security Fabric creates a new account:

  1. Required Attributes: The following attributes must be provided:

    • Email: Employee email address (used as the account identifier)

    • First name: Employee first name

    • Last name: Employee last name

    • Subsidiary: The NetSuite subsidiary the employee belongs to

    • Password: Initial password for the account

  2. Optional Attributes: Additional attributes can be specified:

    • Middle name

    • Job title

    • Department

    • Supervisor

    • External ID

  3. Role Assignment:

    • The connector automatically copies all role assignments from the template account

    • The new account will have the same roles as the template

    • The template account must have at least one role assigned

  4. Duplicate Prevention: The connector checks if an account with the same email address already exists before creating a new account

  5. Account Identifiers: After creation, the account is assigned:

    • Internal ID: NetSuite's internal employee ID (used as stable ID and long ID)

    • Email: Used as the short ID in Bravura Security Fabric

    • Entity ID: Auto-generated by NetSuite (read-only)

Troubleshooting

Authentication failures

Symptom: "Could not obtain a token" or "Failed to get token" error

Causes:

  • Invalid certificate ID or client ID

  • Private key doesn't match public certificate

  • Integration record not enabled

  • Incorrect signature algorithm

  • Time synchronization issue: The time between the NetSuite server and Bravura Security Fabric server may be out of sync

Resolution:

  • Verify server time synchronization (ensure both servers have accurate system time)

  • Verify certificate ID and client ID are correct

  • Ensure the certificate and private key are a matching pair

  • Ensure integration record is enabled in NetSuite

  • See the Token troubleshooting section below for additional steps

Missing dependencies

Symptom: "Failed to import a required module" error

Causes: PyJWT or requests library not installed

Resolution: From the agent directory, run py -m pip install -r agtnetsuite_requirements.txt

Permission errors

Symptom: HTTP 403 Forbidden errors

Causes: Service account lacks required permissions

Resolution: Verify service account has Administrator role or custom role with REST API permissions

Account creation failures

Symptom: "Cannot create account" error

Causes:

  • Template account is inactive

  • Template account has no roles assigned

  • Password requirements not met

  • Required attributes missing

Resolution:

  • Ensure the template account is active (not marked as inactive)

  • Verify the template account has at least one role assigned

  • Check that the template account ID is correctly configured in Bravura Security Fabric target settings

  • Ensure password meets NetSuite requirements (complexity, length, etc.)

  • Verify all required attributes are provided (email, first name, last name, subsidiary, password)

Token troubleshooting

If you encounter authentication issues, verify the following:

  1. Certificate Configuration:

    • Public certificate uploaded to NetSuite integration record

    • Private key file accessible to Bravura Security Fabric

    • Certificate and key are a matching pair

    • Certificate ID matches the ID assigned by NetSuite

  2. Integration Record:

    • Integration is enabled

    • OAuth 2.0 is checked

    • Client Credentials Grant is checked

    • Scope includes REST WEB SERVICES

  3. Address Attributes:

    • Client ID is correct (matches integration record)

    • Certificate ID is correct (matches NetSuite-assigned ID)

    • Private key path is correct and file is accessible

    • Account ID format is correct (case-sensitive)

    • Signature algorithm matches key type (PS* for RSA, ES* for ECDSA)

  4. Service Account:

    • Account has "Give Access" enabled

    • Account has appropriate role permissions

    • Account is not inactive

  5. Network Connectivity:

    • Bravura Security Fabric can reach NetSuite API endpoint

    • No firewall blocking HTTPS traffic

    • DNS resolution working correctly

  6. Time Synchronization:

    • Ensure both servers have accurate system time synchronized via NTP

    • JWT tokens include timestamps and may be rejected if time is significantly out of sync

Document Version: 1.0

Last Updated: February 11, 2026

Connector Version: 1.0 (custom)

Tested with NetSuite: 2025.2 (Edition: United States)

Tested with Bravura Security Fabric: 12.9.1.41114

Note: Steps and menu locations may vary depending on your NetSuite version and edition.

In this section: