> ## Documentation Index > Fetch the complete documentation index at: https://docs.opal.dev/llms.txt > Use this file to discover all available pages before exploring further. # NetSuite > Learn how to connect your NetSuite instance with Opal to manage and review access. Opal natively supports an integration with NetSuite. This integration enables organizations to manage access to NetSuite roles. Opal cannot modify Administrator roles due to NetSuite API limitations. ## Supported resources and functionality | Resource | Read | Grant and revoke access | Available in Risk Center | | -------------- | ---- | ----------------------- | ------------------------ | | NetSuite Roles | ✔️ | ✔️ | ✔️ | Opal syncs all active NetSuite roles and employees who have login access enabled (`Give Access = true`). ## Getting Started In Opal, go to the **Inventory**, select the **+App** icon, and select **NetSuite**. ## 1. Generate a key pair The NetSuite integration uses OAuth 2.0 Client Credentials (machine-to-machine) with a certificate-based JWT. You need to generate a key pair and register the public certificate in NetSuite. Run the following commands to generate an EC key pair (ES256): ```bash theme={null} openssl ecparam -name prime256v1 -genkey -noout -out private_key.pem openssl req -new -x509 -key private_key.pem -out certificate.pem -days 730 -subj "/CN=OpalIntegration" ``` Keep `private_key.pem` — you will upload it to Opal. You will upload `certificate.pem` to NetSuite in the next step. ## 2. Create a NetSuite integration record 1. In NetSuite, go to **Setup > Integration > Manage Integrations > New**. 2. Fill in the following settings: | Setting | Value | | --------------------------------------------- | --------- | | Name | `Opal` | | State | Enabled | | Client Credentials (Machine to Machine) Grant | Checked | | Token-Based Authentication | Unchecked | | Authorization Code Grant | Unchecked | 3. Save the record. Copy the **Client ID** — you will need it later. ## 3. Upload the certificate 1. Still in NetSuite, go to **Setup > Integration > OAuth 2.0 Client Credentials (M2M) Setup**. 2. Set **Entity** to the service account user or role that Opal will authenticate as. 3. Upload the `certificate.pem` file you generated in step 1. 4. Save the record. Copy the **Certificate ID** — you will need it later. ## 4. Create the Opal Integration role Create a dedicated NetSuite role with the minimum permissions required by Opal. 1. Go to **Setup > Users/Roles > Manage Roles > New**. 2. Set the **Name** to `Opal Integration`. 3. Under the **Permissions** tab, add the following permissions and save the role: **Setup** | Permission | Level | | ------------------------------------ | ----- | | Access Token Management | Full | | Bulk Manage Roles | Full | | Log in using Access Tokens | Full | | Log in using OAuth 2.0 Access Tokens | Full | | REST Web Services | Full | | Records Catalog | View | | User Access Tokens | Full | **Lists** | Permission | Level | | --------------- | ----- | | Employee Record | View | | Employees | View | **Reports** | Permission | Level | | ----------------------- | ----- | | SuiteAnalytics Workbook | View | ## 5. Assign the role to the integration certificate 1. Go to **Setup > Users/Roles > Manage Roles** and open the **Opal Integration** role. 2. Under the **Users** subtab, add the employee or service account that owns the certificate created in step 3. Alternatively, assign the role directly on the employee record: **Lists > Employees**, open the employee, go to the **Access** subtab, and add the **Opal Integration** role. ## 6. Connect NetSuite in Opal Back in the Opal New App form, fill in the following fields: | Field | Value | | -------------- | ---------------------------------------------------------------------- | | Account ID | Your NetSuite account ID (e.g. `1234567` or `1234567_SB1` for sandbox) | | Client ID | The Client ID from the integration record created in step 2 | | Certificate ID | The Certificate ID from step 3 | | Private Key | Upload the `private_key.pem` file generated in step 1 | Click **Connect**. Opal will validate the credentials and verify the **Opal Integration** role has the required permissions. Any missing permissions appear in the **App Validations** section of the app's **Setup** tab.