If you've been reviewing NetSuite's Login Audit Trail and spotted the status EntityOrRoleDisabled, it means a login attempt failed because either the user's underlying record or the role they tried to use has been inactivated.

The status is clear enough at a glance. But the fact that it covers two distinct scenarios, without telling you which one, is where the investigation starts.

The Two Scenarios

Scenario 1: The entity is disabled. The underlying record associated with the user account, typically an Employee record, has been marked as Inactive. Even if the credentials are correct and the role is active, login is blocked because the person record itself is inactive.

This commonly happens during offboarding. The employee record gets inactivated, but no one separately addresses NetSuite access. Or the reverse: access is removed but the record stays active, and the status only surfaces when someone tries to log in.

Scenario 2: The role is disabled. The specific role the user attempted to log in with has been inactivated. This can happen when a role is retired or replaced, when an administrator inactivates a role without auditing which users still had it assigned, or when the user's access to that specific role was removed.

How to Diagnose It

The status tells you which category of problem caused the failure, but not specifically whether it was the entity or the role. To determine which:

  1. Go to Setup → Users/Roles → Manage Users.
  2. Find the user in question.
  3. Check whether the Employee/Contact/Vendor record is active.
  4. Check whether the roles assigned to that user are still active roles.
  5. Confirm the user still has the role assigned at all.

In most cases, one of those three checks will surface the issue immediately.

Why It Matters

From a security perspective: a login attempt with a disabled entity or role may indicate a terminated employee whose credentials are still being used, either by the former employee or by someone who obtained them. That warrants investigation, particularly if the attempts are coming from unfamiliar IP addresses or happening outside business hours.

From an operations perspective: it can also be a legitimate user who was accidentally inactivated, or whose role was changed without their knowledge. The result is an unexpected lockout and a support ticket that could have been avoided.

Not the Same As Other Login Failures

It's worth distinguishing this from the other statuses you'll see in the audit trail:

  • EntityOrRoleDisabled means the entity or role is inactivated.
  • InvalidPassword means the correct user, but the wrong password.
  • InvalidLoginCredentials means an unrecognized email or user.
  • TwoFactorAuthRequired means login was blocked pending 2FA.
  • RoleNotAssigned means the role exists and is active, but isn't assigned to that user.

The distinction between EntityOrRoleDisabled and RoleNotAssigned is the one that trips people up most often. The first means the role itself is inactive. The second means the role is fine, but the user doesn't have it.

Accessing the Login Audit Trail

This is a native NetSuite feature. No scripting required.

Navigate to Setup → Users/Roles → View Login Audit Trail. You can filter by status (including EntityOrRoleDisabled), user, date range, and IP address.

Monitoring Beyond the UI

If you need to report on or alert on this status beyond what the native UI provides, two approaches:

  • Saved search on the Login Audit Trail record type, filtered by status. You can schedule it and have results emailed natively. This handles the majority of monitoring needs.
  • Scheduled script querying the audit trail and triggering alerts based on volume thresholds or specific users. Only warranted if the saved search approach is insufficient for your requirements.

Start with the saved search. It's native, schedulable, and requires no deployment. Layer in scripting only if you need threshold-based alerting or integration with an external monitoring tool.