Version: eXtendFiles all versions
Audience: All

Overview

This article explains why the Created By or Last Modified By fields on eXtendFiles records may show unexpected users who aren't directly interacting with the records. This behavior occurs in specific scenarios including public upload, uploads from eXtendMobile, and file conversion operations.

Public Upload Authentication

When using eXtendFiles Public Upload, the Created By field will show the OAuth integration user instead of the external uploader. This occurs because:

  • Public uploads require an authenticated session to create records in NetSuite
  • The integration uses a system account with OAuth 2.0 authentication to handle these uploads
  • NetSuite automatically records this system account as the creator/modifier

File Approval and Rejection Operations

When files are approved or rejected in eXtendFiles, the Last Modified By field will also show the OAuth integration user instead of the approver/rejector because:

  • These operations require authenticated sessions to update eXtendFiles records
  • The system uses the integration credentials to perform the updates
  • This authentication requirement ensures secure record modifications
Note that the name of the approver will be captured separately in the "eXtendFiles - Name of Submit User" field on the Approval subtab of the eXtendFiles record.

Preview and Thumbnail Generation

When eXtendFiles generates previews or thumbnails for uploaded files, the Last Modified By field may update to show the system integration user because:

  • File processing occurs as a background operation
  • The processing requires authenticated system access
  • These automated operations use the integration credentials

eXtendMobile File Uploads

Similar to public uploads, file uploads from eXtendMobile will show the OAuth integration user rather than the mobile user who performed the upload. This is because:

  • eXtendMobile uses OAuth 2.0 for NetSuite communication
  • The authentication is handled through a system integration user
  • The actual mobile user's identity is masked by the integration process

If you’d like to capture the mobile user performed the upload in a custom field, see How to Set 'Last Modified By' for Records via eXtendMobile.

Sandbox and Release Preview Email Behavior

In NetSuite Sandbox and Release Preview accounts, NetSuite provides special email routing rules to help prevent test activity from emailing real customers.

When eXtendFiles actions run using an OAuth integration user (for example, public upload, mobile upload, background conversion, or approvals), any NetSuite-generated emails that fire as part of those actions may route to the integration user’s email address instead of the “intended” recipient. This happens because the email is treated as being initiated by the user context that executed the action (the integration user), and the sandbox email preference is configured to route email to that user rather than to external recipients.

Where this is controlled

NetSuite administrators can set default routing for Sandbox and Release Preview emails at:

  • Setup → Company → Email → Email Preferences
  • Open the Sandbox and Release Preview Email Preferences (or Sandbox and Release Preview) subtab

Oracle recommends using Send Email To and specifying one or more test inbox addresses for these environments. This ensures emails are delivered to known test recipients instead of customers.

Common scenario: “Send Email to Logged In User”

If the sandbox preference is set to Send Email to Logged In User, emails generated by actions executed in the integration user context (OAuth, scheduled processing, workflow action scripts, etc.) will be routed to the integration user, since NetSuite considers that user the “logged in” initiator for the transaction.

Notes and exceptions

  • Oracle notes that some security-sensitive emails do not obey sandbox routing rules and are always delivered to the owner of the email address.
  • Emails initiated by errors in scheduled scripts can follow notification settings defined on the script record.
  • In addition to eXtendFiles, this also applies to other applications listed in Creating OAuth 2.0 Client Credentials (M2M) when external events trigger emails.

Relevant Oracle NetSuite documentation

Frequently Asked Questions (FAQs)

Q: How can I track who actually uploaded a file?
A: You can create a custom field on the eXtendFiles record to track the actual user, similar to the approach described in the eXtendMobile Last Modified By documentation.

Q: Can I change this behavior?
A: This behavior is inherent to how NetSuite handles OAuth authentication and system integrations. While it cannot be changed, you can implement additional tracking fields for user accountability. Additionally, consider the use of a dedicated integration user.

Q: Does this affect file security or permissions?
A: No, this only affects the display of the Created By and Last Modified By fields. File security and permissions remain based on the configured access controls.