Opal natively supports an integration with NetSuite. This integration enables organizations to manage access to NetSuite roles.
Opal cannot modify Administrator roles due to NetSuite API limitations.
Supported resources and functionality
| Resource | Read | Grant and revoke access | Available in Risk Center |
|---|
| NetSuite Roles | ✔️ | ✔️ | ✔️ |
Give Access = true).
Getting Started
In Opal, go to the Inventory, select the +App icon, and select NetSuite.
1. Generate a key pair
The NetSuite integration uses OAuth 2.0 Client Credentials (machine-to-machine) with a certificate-based JWT. You need to generate a key pair and register the public certificate in NetSuite.
Run the following commands to generate an EC key pair (ES256):
openssl ecparam -name prime256v1 -genkey -noout -out private_key.pem
openssl req -new -x509 -key private_key.pem -out certificate.pem -days 730 -subj "/CN=OpalIntegration"
private_key.pem — you will upload it to Opal. You will upload certificate.pem to NetSuite in the next step.
2. Create a NetSuite integration record
- In NetSuite, go to Setup > Integration > Manage Integrations > New.
- Fill in the following settings:
| Setting | Value |
|---|
| Name | Opal |
| State | Enabled |
| Client Credentials (Machine to Machine) Grant | Checked |
| Token-Based Authentication | Unchecked |
| Authorization Code Grant | Unchecked |
- Save the record. Copy the Client ID — you will need it later.
3. Upload the certificate
- Still in NetSuite, go to Setup > Integration > OAuth 2.0 Client Credentials (M2M) Setup.
- Set Entity to the service account user or role that Opal will authenticate as.
- Upload the
certificate.pem file you generated in step 1.
- Save the record. Copy the Certificate ID — you will need it later.
4. Create the Opal Integration role
Create a dedicated NetSuite role with the minimum permissions required by Opal.
- Go to Setup > Users/Roles > Manage Roles > New.
- Set the Name to
Opal Integration.
- Under the Permissions tab, add the following permissions and save the role:
| Permission | Level |
|---|
| REST Web Services | Full |
| Records Catalog | View |
| Employee Record | View |
| Employees | View |
| Manage OAuth Tokens | Full |
| Log in using OAuth 2.0 | Full |
| Manage Own OAuth Tokens | Full |
5. Assign the role to the integration certificate
- Go to Setup > Users/Roles > Manage Roles and open the Opal Integration role.
- Under the Users subtab, add the employee or service account that owns the certificate created in step 3.
Alternatively, assign the role directly on the employee record: Lists > Employees, open the employee, go to the Access subtab, and add the Opal Integration role.
6. Connect NetSuite in Opal
Back in the Opal New App form, fill in the following fields:
| Field | Value |
|---|
| Account ID | Your NetSuite account ID (e.g. 1234567 or 1234567_SB1 for sandbox) |
| Client ID | The Client ID from the integration record created in step 2 |
| Certificate ID | The Certificate ID from step 3 |
| Private Key | Upload the private_key.pem file generated in step 1 |
