There are two main approaches when building application security in NetSuite. The first is the top-down or proactive approach described in detail in this white paper. It starts by defining security requirements up front during the analysis and configuration phase. The second is the bottom-up or reactive approach, which starts with developing NetSuite security roles as a subsequent step after business processes have been defined and set up in the new system.
Organizations choosing the latter approach do not address security risks or compliance requirements during the initial design of their NetSuite systems. Instead, they assess security risks and requirements after security has been built into the system. This method may appear to be more efficient in the shorter term, but it tends to be more time-consuming over the long term.