Overview
This article explains the NetSuite permissions required for CloudExtend apps to authenticate successfully and how to resolve common authorization and token-related login errors.
Use this guide only if users encounter login or authorization errors when connecting CloudExtend to NetSuite.
For an overview of the CloudExtend login flow, supported authentication methods, and how users log in, see:
➡️ CloudExtend NetSuite Login Prerequisites
When You Need This Article
Refer to this guide if users see errors such as:
“Cannot continue this authorization flow. Your current role has insufficient permission.”
“Missing Authentication Token”
Login failures after switching devices or roles
Authentication succeeds, then fails unexpectedly later
Required NetSuite Permissions (Per Role)
A NetSuite Administrator must ensure the role used with CloudExtend includes the following permissions.
Step 1: Go to Setup > Users/Roles > Manage Roles
Step 2: Look for the role name that you wish to edit
Step 3: Go to Permissions
Setup Tab
Permission | Level | Purpose |
SOAP Web Services | Full | Required for API communication |
User Access Tokens | Full | Allows token generation during login |
Log in using Access Tokens | Full | Enables token-based authentication |
SAML Single Sign-On | Full (only if SSO is used) | Do not enable if SSO is not configured |
Allow JS/HTML Uploads | As needed | Required only for |
Lists Tab (For Email Apps)
Permission | Level |
Documents and Files | Create (Full recommended for ExtendDocs) |
Track Messages | Create (Full recommended for ExtendDocs) |
Custom Record Tab (Send from Outlook Only)
Permission | Level |
Celigo Send from Outlook Email Config | Full (Send from Outlook only) |
Why are Tokens Required?
NetSuite recommends that users connect to NetSuite with tokens when using applications such as CloudExtend and has provided a means to generate these tokens automatically. During the login flow:
Once a user enters their username and password, CloudExtend will attempt to create a token pair for future logins.
If the end-user does not have the proper permissions, this process will fail, and the user will need to click the back button and select basic login.
For the login flow to be able to generate tokens on behalf of the user, ensure that their roles have the User Access Tokens permission. When a role has this permission, the NetSuite login flow will automatically generate tokens on your behalf and log you in with token-based authentication, which can greatly reduce NetSuite concurrency issues. Additionally, login challenges may arise when users switch devices or hardware, requiring token regeneration to restore access.
Common Authorization Errors & Fixes
🔵 Cannot continue this authorization flow
Cause:
The role is missing the User Access Tokens permission.
You’ll see this error during login:
You cannot continue this authorization flow. Your current role has insufficient permission. Please contact your account administrator.
Fix:
Enable SOAP Web Services(Full) and User Access Tokens (Full), then retry login.
➡️ Full Guide: How to Resolve Authorization Flow Error
🔵 Role-Specific Limitations
Some specialized NetSuite roles cannot accept required permissions.
Example:
Custom specialized user: CRM roles cannot include:
User Access Tokens
SOAP Web Services
Resolution:
Assign a different role, or
Clone a standard NetSuite role, add required permissions, and reassign the user
Advise the user to recreate or add connections
When to Recreate/Add a Connection
Users should recreate their CloudExtend connection if:
Tokens were revoked
Devices were changed
Login fails after a long period of inactivity
Steps:
Open CloudExtend → Menu
Go to Connections → NetSuite Connections
Select Add Connection
Complete the login flow again
Optional Permissions (Feature-Specific)
Some additional permissions enhance specific CloudExtend features, such as Send from Outlook or ExtendInsights for Analytics NetSuite.
Send from Outlook
In NetSuite, go to Setup > User/Roles > Manage Roles and select the relevant custom role.
Go to Permissions > Custom Record Tab.
Add Celigo Send from Outlook Email Config and set to FULL.
Go to Permissions > Lists
Add Track Messages and assign FULL access level
ExtendInsights for Analytics NetSuite
In NetSuite, navigate to Setup > Users/Roles > Manage Roles
Select the Project Manager role and click Edit.
Click Permissions > Lists
Add Persist Search and assign Create access level
Summary
User Access Tokens are mandatory for stable CloudExtend authentication
Missing permissions are the most common cause of login failures
Specialized roles may need to be replaced or cloned
Recreating connections resolves most token-related issues
Need Help?
If issues persist after permissions are verified:
💬 Use in-app chat
📧 cloudextend-support@celigo.com
Include:
NetSuite role name
Error message
Screenshot of role permissions