mindzie NetSuite Setup Guide for Administrators

Overview

This guide walks a NetSuite administrator through the configuration required to give mindzie programmatic, read-only access to your NetSuite account so that mindzie can extract data for AI-driven process mining and analytics.

The setup uses NetSuite's standard Token Based Authentication (TBA) mechanism. No passwords are shared. mindzie receives a dedicated set of tokens that you create, scope, and can revoke at any time.

The whole process typically takes 15-30 minutes for an administrator who already has the required NetSuite permissions.

What mindzie Will Be Able to Do

The role you create for mindzie is read-only across the entire account. mindzie cannot create, update, or delete any records in NetSuite.

The role unlocks four programmatic access channels, all using the same token credentials:

Channel Purpose
REST Web Services Record-level reads and SuiteQL queries over HTTPS
SuiteAnalytics Connect ODBC/JDBC bulk extracts for historical data loads
SuiteAnalytics Connect - Read All Cross-subsidiary read for consolidated analytics
SuiteScript / RESTlets Calling custom endpoints if your team builds any

Authentication uses OAuth 1.0a TBA (the NetSuite-recommended pattern for server-to-server integrations). Basic auth and password-based access are not used.

Prerequisites

Before you start, confirm:

  • You have a NetSuite role with Administrator or equivalent permissions to create roles, users, integration records, and access tokens.
  • The SuiteCloud features required below are licensed on your account (Token Based Authentication, REST Web Services, SuiteAnalytics Connect). If any are missing, contact your NetSuite account manager before continuing.
  • You know your NetSuite Account ID (visible in the URL when you log in, e.g. 1234567 or 1234567_SB1 for sandbox).

Configuration Steps

Complete all five steps in order. Steps 1 and 2 only need to be done once per NetSuite account; if TBA and Integration features are already enabled, you can skip Step 1.

Step 1: Enable Required Features

  1. Go to Setup -> Company -> Enable Features.
  2. Open the SuiteCloud tab.
  3. Confirm the following are enabled (check the box and save if not):
    • Token-Based Authentication
    • REST Web Services
    • SuiteAnalytics Workbook
    • SuiteAnalytics Connect (under SuiteAnalytics)
    • Client SuiteScript and Server SuiteScript
  4. Accept the SuiteCloud terms of service if prompted.
  5. Click Save.

Step 2: Create the Integration Record

The integration record represents the mindzie application connecting to your NetSuite account. It produces the Consumer Key and Consumer Secret.

  1. Go to Setup -> Integration -> Manage Integrations -> New.
  2. Fill in:
    • Name: mindzie Studio
    • State: Enabled
    • Description: mindzie process mining integration - read only
  3. Under Authentication:
    • Check Token-Based Authentication.
    • Uncheck TBA: Authorization Flow (not needed for server-to-server).
    • Uncheck Authorization Code Grant (OAuth 2.0, not used here).
  4. Click Save.
  5. Important: NetSuite will display the Consumer Key / Client ID and Consumer Secret / Client Secret at the bottom of the screen only once. Copy both values immediately into a secure password manager. If you lose them you must reset and regenerate.

Step 3: Create the mindzie Role

This role is what controls what mindzie can see. It is read-only.

  1. Go to Setup -> Users/Roles -> Manage Roles -> New.

  2. Configure the General section:

    • Name: mindzie Studio Role
    • ID: _mindzie_studio_role (or leave blank to auto-assign)
    • Center Type: Classic Center
    • Check Web Services Only Role
    • Check Core Administration Permissions

  3. Under the Permissions subtab, configure each section:

    Transactions, Lists, Custom Record: Set every permission to View (read-only).

    Reports: Add SuiteAnalytics Workbook with level View.

    Setup: Add the following with level Full unless noted:

    • Log in using Access Tokens -- Full
    • REST Web Services -- Full
    • SuiteAnalytics Connect -- Full
    • SuiteAnalytics Connect - Read All -- Full
    • SuiteScript -- Full
    • User Access Tokens -- Full

  4. Under Subsidiary Restrictions (OneWorld accounts only): select All subsidiaries unless your security policy dictates otherwise.

  5. Click Save.

Step 4: Create the mindzie User

A dedicated employee record holds the role assignment. mindzie never logs in interactively as this user; the user exists only to anchor the access token.

  1. Go to Lists -> Employees -> Employees -> New.
  2. Fill in minimum required fields:
    • Name: mindzie API User
    • Email: an email address your team controls (NetSuite requires one; mindzie does not need access to the inbox).
    • Subsidiary: primary subsidiary (OneWorld accounts only).
  3. Open the Access subtab:
    • Check Give Access.
    • Leave Send New Access Notification Email unchecked.
    • Under Roles, add mindzie Studio Role.
  4. Click Save.

Step 5: Generate the Access Token

This step links the integration, user, and role together and produces the Token ID and Token Secret.

  1. Go to Setup -> Users/Roles -> Access Tokens -> New.
  2. Fill in:
    • Application Name: mindzie Studio (the integration from Step 2)
    • User: mindzie API User (from Step 4)
    • Role: mindzie Studio Role (from Step 3)
    • Token Name: mindzie Studio Token (or leave default)
  3. Click Save.
  4. Important: NetSuite will display the Token ID and Token Secret only once. Copy both values immediately into your secure password manager.

What to Send to mindzie

After completing the steps above, send mindzie the following five values. All five are required; mindzie cannot connect with any of them missing.

# Item Where it came from Example format
1 Account ID Your NetSuite URL 1234567 or 1234567_SB1
2 Consumer Key / Client ID Step 2 (Integration Record) 64-character hex string
3 Consumer Secret / Client Secret Step 2 (Integration Record) 64-character hex string
4 Token ID Step 5 (Access Token) 64-character hex string
5 Token Secret Step 5 (Access Token) 64-character hex string

Also helpful, but not strictly required:

  • NetSuite environment: Production, Sandbox, or Release Preview
  • Primary subsidiary (OneWorld accounts) and currency
  • Date range of historical data you want extracted in the first load
  • Time zone of the NetSuite account

How to Send It Securely

These four secrets together grant read access to your entire NetSuite account. Treat them like a production database password.

Do not send them by:

  • Plaintext email
  • Slack, Teams, or other chat tools without an expiring secret feature
  • Shared network drives or unencrypted file shares
  • Screenshots in tickets or wikis

Do send them by one of:

  • A one-time secret link service (e.g. 1Password "Share", Bitwarden Send, Doppler share, or your corporate equivalent) with an expiry of 24 hours or less.
  • An encrypted message through your IT-approved channel.
  • A scheduled call where you read them while mindzie's engineer enters them directly into the connector.

If you need a delivery method, ask your mindzie contact and we will send you a one-time secret link to upload the values into.

What Happens Next

Once mindzie receives the credentials:

  1. We enter them into the mindzie Studio NetSuite connector.
  2. We run a connection test (a single read against your account metadata).
  3. We confirm with you in writing that the connection is healthy.
  4. We schedule the first historical data extract with you.

The first extract is read-heavy; we coordinate timing with your team so it does not collide with month-end close or other peak load periods.

Verifying the Setup Yourself

Before sending credentials, you can confirm the role works by signing in to NetSuite as the mindzie API User, switching to the mindzie Studio Role, and confirming you can:

  • Open the SuiteAnalytics Workbook menu without an access denied error.
  • View (but not edit) any transaction or list record.

You will not be able to do much else interactively, which is expected -- this role is built for API access, not for human use.

Revoking Access

If you ever need to cut mindzie's access:

  • Fastest: Go to Setup -> Users/Roles -> Access Tokens, find the mindzie token, and click Revoke. This kills the connection immediately.
  • More thorough: Also disable the integration record (Step 2) and inactivate the mindzie API User employee record.

After revocation, notify mindzie support so we can clean up our side and acknowledge the change.

Need Help?

Contact mindzie support at support@mindzie.com with:

  • Your NetSuite Account ID (do not include the secrets in the email)
  • The step number you are stuck on
  • The exact error message NetSuite is showing

We can join a screen-share with your administrator to walk through any step that is not behaving as documented.