> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Set up an Oracle NetSuite connector
> C1 provides identity governance for Oracle NetSuite. Integrate your Oracle NetSuite instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.
## Capabilities
| Resource | Sync | Provision |
| :------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Accounts | | |
| Roles | | |
The NetSuite connector supports [automatic account provisioning](/product/admin/account-provisioning).
This connector does not support account deprovisioning. You must deprovision accounts directly in NetSuite.
**Administrator roles cannot be granted or revoked via the connector.** NetSuite's API does not allow modifications to employee records that have the Administrator role assigned, regardless of the permissions granted to the integration. Attempting to grant or revoke the Administrator role through C1 will result in an error. To assign or remove the Administrator role, make the change directly in NetSuite.
## Gather NetSuite credentials
Configuring the connector requires you to pass in credentials generated in NetSuite. Gather these credentials before you move on.
A user with an **Administrator** role in NetSuite must perform this task.
**Before you begin:** Make sure you have enabled the following features for your NetSuite instance:
* Token-Based Authentication
* REST Web Services
* Suite Analytics Workbook
You'll find directions for enabling features in the [NetSuite documentation](https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/chapter_N232138.html#Enabling-Features).
### Locate your NetSuite Account ID
In NetSuite, navigate to **Setup** > **Company** > **Company Information**.
Find the **ACCOUNT ID** field on the page. Make a note of your account ID. We'll use it in Step 5.
### Generate a consumer key and consumer secret
In NetSuite, navigate to **Setup** > **Integrations** > **Manage Integrations**. Click **New** to create a new integration.
Give the new integration a name, such as "C1".
Check the box for **TOKEN-BASED AUTHENTICATION**.
Make sure **OAuth 2.0 Authorization Code Grant** is unchecked on the Authentication tab. NetSuite may enable this by default, which requires a Redirect URI that is not needed for the C1 connector. The C1 NetSuite connector uses Token-Based Authentication only.
Click **Save**. The new integration is created, and its consumer key and consumer secret are shown.
Make a careful note of these credentials (they won't be shown again).
### Create a NetSuite role and add it to a user
Still in NetSuite, navigate to **Setup** > **Users/Roles** > **Manage Roles**. Click **New** to create a new role.
Give the new role a name, such as "C1 integration".
Assign the following permissions to the role:
* Setup - REST Web Services
* Setup - Log in using Access Tokens
* Setup - Bulk Manage Roles
* Reports- Suite Analytics Workbook
* Lists - Employee Record
* Lists - Employees
**Why are these permissions needed?** The integration uses these permissions to read and query SuiteQL tables containing information on roles and employees.
Click **Save**.
Next, assign the new role to a user. You might want to create a new user for this purpose rather than assigning the role to an existing user. Navigate to **Lists** > **Employees** > **Employees**, then search for the employee by email.
Click **Edit** next to the name of the employee you want to assign a role to.
Click the **Access** subtab.
In the **Role** field, select a role for this employee.
Click **Add**.
Click **Save**.
### Generate a token key and token secret
In NetSuite, navigate to **Setup** > **Users/Roles** > **Access Tokens**. Click **New** to create a new token.
Select the application (integration), role, and user you created in the previous steps, and give the token a name.
Click **Save**. The new token is created, and its key and secret are shown.
Make a careful note of these credentials (they won't be shown again).
**Done.** Next, move on to the connector configuration instructions.
## Configure the NetSuite connector
To complete this task, you'll need:
* The **Connector Administrator** or **Super Administrator** role in C1
* Access to the set of NetSuite credentials generated by following the instructions above
**Follow these instructions to use a built-in, no-code connector hosted by C1.**
In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
Search for **NetSuite** and click **Add**.
Choose how to set up the new NetSuite connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
Find the **Settings** area of the page and click **Edit**.
In the **Account ID** field, enter the NetSuite domain.
In the **Consumer key** and **Consumer secret** fields, enter the credentials you generated.
In the **Token key** and **Token secret** fields, enter the credentials you generated.
(Optional) In the **Custom Employee Fields** field, enter a comma-separated list of custom employee field IDs to include in the sync (e.g. `custentity_zone,custentity_cost_center`). See [Custom Fields](#custom-fields) for details.
Click **Save**.
The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
**Done.** Your NetSuite connector is now pulling access data into C1.
**Follow these instructions to use the NetSuite connector, hosted and run in your own environment.**
When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
### Resources
* [Official download center](https://dist.conductorone.com/ConductorOne/baton-netsuite): For stable binaries (Windows/Linux/macOS) and container images.
### Step 1: Set up a new NetSuite connector
In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
Search for **Baton** and click **Add**.
Choose how to set up the new NetSuite connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
In the **Settings** area of the page, click **Edit**.
Click **Rotate** to generate a new Client ID and Secret.
Carefully copy and save these credentials. We'll use them in Step 2.
### Step 2: Create Kubernetes configuration files
Create two Kubernetes manifest files for your NetSuite connector deployment:
#### Secrets configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-netsuite-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-netsuite-secrets
type: Opaque
stringData:
# C1 credentials
BATON_CLIENT_ID:
BATON_CLIENT_SECRET:
# NetSuite credentials
BATON_ACCOUNT_ID:
BATON_CONSUMER_KEY:
BATON_CONSUMER_SECRET:
BATON_TOKEN_KEY:
BATON_TOKEN_SECRET:
# Optional: comma-separated custom employee field IDs
# BATON_CUSTOM_EMPLOYEE_FIELDS: custentity_zone,custentity_cost_center
# Optional: include if you want C1 to provision access using this connector
BATON_PROVISIONING: true
```
See the connector's README or run `--help` to see all available configuration flags and environment variables.
#### Deployment configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-netsuite.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: baton-netsuite
labels:
app: baton-netsuite
spec:
selector:
matchLabels:
app: baton-netsuite
template:
metadata:
labels:
app: baton-netsuite
baton: true
baton-app: netsuite
spec:
containers:
- name: baton-netsuite
image: ghcr.io/conductorone/baton-netsuite:latest
imagePullPolicy: IfNotPresent
env:
- name: BATON_HOST_ID
value: baton-netsuite
envFrom:
- secretRef:
name: baton-netsuite-secrets
```
### Step 3: Deploy the connector
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the NetSuite connector to. NetSuite data should be found on the **Entitlements** and **Accounts** tabs.
**Done.** Your NetSuite connector is now pulling access data into C1.
## Custom Fields
The NetSuite connector supports syncing custom employee fields. Custom field values are added to the user profile attributes in C1, making them available for access reviews and reporting.
### Finding custom field IDs
Custom field IDs can be found in NetSuite under **Customization** > **Lists, Records, & Fields** > **Entity Fields**. The field ID is shown in the **ID** column (e.g. `custentity_zone`).
### Permissions for custom fields
Each custom field in NetSuite has its own field-level access controls, separate from the base employee record permissions. The connector's role must have at least **View-level access** to each custom field being synced.
Field access is configured per-field in NetSuite:
1. Navigate to **Customization** > **Lists, Records, & Fields** > **Entity Fields**.
2. Click on the custom field.
3. Go to the **Access** subtab.
4. Ensure the connector's role has **View**, **Run**, or **Edit** access.
The connector validates access to each custom field at startup. If a field is not accessible, the connector will report a clear error message indicating which field could not be accessed.