Project management task approval fails due to role-based access errors

We’re experiencing a frustrating issue where project managers can’t approve tasks in NetSuite 2023.1. The approval button appears but clicking it returns “Insufficient permissions” even though their role includes the Project Manager custom role.

I’ve verified the SuiteCloud role mapping shows the correct permissions, and the SuiteFlow workflow is configured to route approvals to users with the PM role. The workflow worked fine until we added some custom fields to the task record last month.

Error in browser console:

Permission denied: customrecord_task_approval
Role: Project Manager (customrole_pm)
Required permission: EDIT level on task approvals

Is there something specific about role-based access in SuiteFlow workflows that we’re missing? The custom role troubleshooting guide mentions checking subsidiary access, but we’re a single-entity company.

I’ve seen this before. When you added custom fields to the task record, did you update the permissions on those specific fields in the custom role definition? SuiteFlow workflows require explicit field-level permissions, not just record-level access. Check Setup > Users/Roles > Manage Roles > [Your PM Role] > Permissions > Custom Records and verify each custom field has at least View/Edit access.

Yes, role permission changes can take up to 15 minutes to propagate fully. But there’s another issue to check - your SuiteFlow workflow might have hardcoded permission checks in custom script actions. If you’re using any User Event or Workflow Action scripts, those need to explicitly check for the updated permissions. Also verify that the workflow’s “Run as Administrator” setting isn’t enabled, as that can mask permission issues during testing but fail for regular users.

The error message is pointing to a custom record type (customrecord_task_approval) rather than the standard task record. This suggests your workflow might be creating approval records in a custom table. You need to grant the Project Manager role FULL access to that custom record type, including all custom fields within it. Also check if there are any workflow states that have additional permission requirements - sometimes approval actions are tied to specific workflow state transitions that need separate permissions.

I’ll walk you through the complete solution based on your SuiteCloud role mapping and SuiteFlow workflow permissions setup.

Root Cause Analysis: Your issue involves three interconnected permission layers that all need alignment:

1. SuiteCloud Role Mapping: The custom role needs permissions on both the task record AND the approval custom record
2. SuiteFlow Workflow Permissions: The workflow itself needs to allow the role to execute approval actions
3. Custom Role Troubleshooting: Field-level permissions on custom fields added to task records

Complete Fix:

First, update the custom role permissions:

Setup > Users/Roles > Manage Roles > Project Manager
Permissions Tab:
  Custom Records > Task Approval Record > Full
  Lists > Task > Full
  Custom Record Fields > [All new fields] > Edit

Next, verify your SuiteFlow workflow configuration. Go to Customization > Workflow > Workflows > [Your Task Approval Workflow] and check the Initiate tab. Make sure the “Available to” section includes your Project Manager role explicitly, not just through inheritance.

The critical part most people miss: workflow state transitions require separate permissions. Edit your workflow and for each approval state transition:

// Pseudocode - Workflow state permission setup:
1. Open workflow state "Pending Approval"
2. Click on the approval action trigger
3. Set "Execute as" to "Current User" (not Administrator)
4. Add role condition: IF current user has role Project Manager
5. Verify custom record write permission in action script
// This ensures permission checks happen in user context

For the custom record permission error you’re seeing, you need to add a specific permission check in any User Event scripts attached to the task record. If you have a beforeSubmit or afterSubmit script, add this validation:

if (!runtime.getCurrentUser().getPermission({
  name: 'CUSTOMRECORD_TASK_APPROVAL'
}) >= 2) {
  throw error.create({
    name: 'INSUFFICIENT_PERMISSION',
    message: 'User lacks edit access to approval records'
  });
}

Custom Role Troubleshooting Checklist:

• Verify subsidiary restrictions aren’t blocking access (even in single-entity setups, check this)
• Confirm department/class/location restrictions on the role don’t conflict with task assignments
• Check if “Login Audit” shows any permission-related login restrictions
• Review the role’s “Restrictions” tab for any custom record type exclusions

Testing Steps:

1. Have a user with ONLY the Project Manager role test (remove any Administrator role temporarily)
2. Clear browser cache completely before testing
3. Check the workflow execution log (Customization > Workflow > Workflow Instances) to see exactly where permission fails
4. Enable SuiteScript debugging and check for any beforeLoad scripts that might be stripping permissions

After implementing these changes, wait 15-20 minutes for permission cache to clear across all NetSuite application servers. The combination of custom record permissions, workflow execution context, and field-level access should resolve your approval failures.

If issues persist after this, check whether any custom SuiteScript is overriding the workflow’s default behavior - sometimes custom approval logic bypasses the standard permission model.

One more thing to verify - check if your custom role has the “Lists > Task” permission enabled at the appropriate level. Even with custom record permissions, the base Task record permission is required for workflow actions that touch task records. I’ve seen cases where the workflow creates the approval record successfully but fails when trying to update the parent task status because the role lacks sufficient task record permissions.

Thanks for the responses. I checked the custom record permissions and found that customrecord_task_approval was set to View only. However, even after changing it to Full access and having users log out/in, we’re still seeing the error. Could there be caching involved here?