GRC AC V10 - Mitigation Control Approval Workflow

Hi guys,
can me explain somebody the difference between the processID SAP_GRAC_CONTROL_ASGN und SAP_GRAC_CONTROL_MAINT?
And as well can somebody provide me the initiator rule ID for both so that we can have a detailed look into the brfplus rule.
We only want to mitigate controls via an controlowner approval and not a process for the creation of new controls.
That means an asisgnment approval workflow for mitigation controls.
Thanks a lot.

Hello Alexa,
Did you ever employ SAP_GRAC_CONTROL_ASGN ? Were you able to identify the included agents ?
I am interested in identifying approvers for mitigating controls who can be included in the workflow but are not risk owners. Would you have any suggestions for this type of agent ?
Any information would be appreciated.
Thanks,
Jamie

Similar Messages

  • GRC 10.0 CUP - Function Approval Workflow - Decision pending?

    Hi, i am customizing the Function Approval Workflow (SAP_GRAC_FUNC_APPR).
    I have one stage with only one agent authorization. The agent approved the request but in Search Request:
    Instance Status:  Running
    Instance Approval Status: Decision Pending
    Audit Log:
    + Request XXXX submitted..
    + Request is pending for approval at path GRAC_DEFAULT_PATH stage GRAC_DEFAULT_STAGE
    Approve ID: zzzz
    +Approved by ZZZZ at path GRAC_DEFAULT_PATH stage GRAC_DEFAULT_STAGE
    I don´t see the function in GRC. I´m in SP07
    Regards
    Ignacio

    Hi, my workflow Function Approval (default) have a wait event and i can´t delete this step succesfully.
    Here are more images about the workflow configuration of Function Approval.
    http://es.zimagez.com/zimage/wf10.php
    http://es.zimagez.com/zimage/wf20.php
    http://es.zimagez.com/zimage/wf30.php
    http://es.zimagez.com/zimage/wf40.php
    http://es.zimagez.com/zimage/wf5.php
    http://es.zimagez.com/zimage/wf6.php
    http://es.zimagez.com/zimage/wf7.php
    http://es.zimagez.com/zimage/wf8.php
    Thanks,
    Regards,
    Ignacio Barrionuevo.

  • GRC 5.3 mitigation control

    Dear Guys,
    Please help me to understand the concept of mitigation control in GRC 5.3 and when it is useful and at what time we need to implement mitigation control.
    How could we mitigate user and on what criteria....????
    Also some brief about control monitor.
    Thanks in Advance......

    Hi Arpit,
    Steps for remediation and mitigation strategy is as below,
    Once you do risk analysis, you have the list of risk available in your system, after this you have the option to remove (Remediate) risk by removing conflicting permission or action from role.
    OR
    there is scenario where you have to accept the risk in this case you have to opt for mitigation control, just consider one example given below,
    Function A: Create PO
    Function B: Release PO
    Above two functions are conflicting and create risk in standard process, so as a standard practice, in reference to compliance SAP recommends to have two people doing it separately, but customer might not be having 2 postions in org to separate this, so customer has to accept the risk and create mitigation control to document this and put the monitoring control so one person can perform this function.
    This way it is helful to follow the compliance and when audit happens customer can show that they have identified the risk and documented it and put alternate monitoring control, so the risk cannot be misused.
    Hope this helps you understand it.
    BR,
    Mangesh

  • GRC - Mitigation control maintenance workflow

    Hi Experts,
    This is regarding Standard GRC workflow WS76300088.
    How is approver determination done in this ?  Do we need to ensure that the approvers are maintained somewhere?
    Awaiting inputs ... thanks in advance!
    ~Ali~

    Hi Ali
    I guess the right forum to ask this question will be Governance, Risk and Compliance (SAP GRC)
    You can also try and check these links if they help:
    http://scn.sap.com/docs/DOC-52083
    GRC RM 10.0 - debug Agent determination in Workflow
    Regards,
    Modak

  • Mitigation assignment approval in Access Request Workflow

    Hi Guys,
    I am currently implementing GRC for one of the clients. I have a question with respect to Mitigation assignment approval in Access Request Workflow.
    Below is the Scenario,
    1) User Submits the request
    2) Manager Approves
    3) Role Owner runs the SOD & finds SOD violations. Role Owner assigns the mitigation controls & approves the request
    Clarification:
    Once the role owner approves , depending on the mitigation controls assigned , can this request be routed to the mitigation control owner for approval in next stage? is this configurable with out custom BRF+ rules ? I know there is a workflow separately  (SAP_GRAC_CONTROL_ASGN) for approval of assignment which I suppose is out side of the Access request workflow.
    Please suggest.

    Pavan,
    more or less - as the control assignment workflow is independent the access request doens't wait. So if the role owner set a mitigation the control workflow starts. If you allow the role owner to approve the access request with risks, means if the risk isn't mitigated, then the role owner can proceed.
    To have your scenario working you must set the following in Access Request workflow: Role Owners are not allowed to approve as long as there are risks. All risks must either be remediated or mitigated before approval. That means if the role owner sets a mitigation the assignment workflow starts. As soon as the mitigation is valid (final approval) the access request can be approved.
    Technically both workflows are independent and don't have a relation to each other. But with some settings you can combine them.
    Does this answer your question?
    Regards,
    Alessandro

  • Implementing Mitigation Control IDs

    Hi,
    We are planning to implement mitigation control ids in GRC. Currently we are only having 1 mitigation control id and all the users are mitigated into this id.
    Now, the plan is to include the mitigation control advise/comments by the SOD approvers into the GRC and thus by introducing multiple mitigation control id we could achieve this.
    In our system users are mapped as per the Business Unit and we have around 25-30 business units. so each BU is have a seprate mitigation control approval (SOD Approver).
    We have around 150 Risk IDs.
    We are not able to understand how to design mitigation control IDs in such case? Is it a best practice to create mitigation control ID for each Risk ID in the system (May be we can group similar Risk IDs)? Your help is appreciated.
    Thanks,
    Umesh

    Hi Umesh,
    No, for 1 Mitigation COntrol there are serveral Monitors and users who are mitigated are added to only 1 mitigation control id.
    Which means you have multiple people monitoring every risk in your system. Does all of the monitors belong to the same functional group?? If yes, what happens if there is a risk in other functional groups? How they can identify and monitor it??
    If no, why a FI functional group monitor, needs to monitor the risk related to other groups?
    Can you pls explain more on primary and secondary functions?
    If the risk is related to one functional area only, the respective functional area will own it. If it is a cross functional risk, then it will be owned by both the functional area managers, which is often referred as primary and secondary functions.
      and what are the disadvantage of creating 1 mitigation control id for each risk (may be grouping some risks) considering the fact that we have 25 business units.
    It is just like giving 1 coke with 100 straws while you still have a stock in your refrigerator
    Regards,
    Raghu

  • Mitigation control ID validity extension -easy way

    I work in GRC AC 5.3. All Mitigation control IDs have a validity expiration on same date in near future. Our GRC has many mitigation control IDs with mitigated users. How can I change the valid to date in convenient way?
    It may be extended for all mitigated users separately/individually, but it will take huge time.

    You can download all of them in a text file, make changes and upload it back via the import/export utility under mitigation tab,
    Alpesh

  • Mitigating Control Management Approver

    Hello,
    What is the significance of the Management Approver when creating a Mitigating Control?  I do not see any approval process in GRC .  Does this relate to setting up workflow?
    thanks
    Tammi

    Hi Tammi,
    Do you have any process documentation on mitigating controls?  I don't need to know how to create them in GRC - I've got that covered.  However from a non technical audit perspective, there's a process around creating a control, prior to having to set it up in the system.  Do you have anything in that area?
    If you do and you don't mind sharing, I would most appreciate it.
    Thanks,
    Santosh

  • Mitigation control errors out in CUP approval

    We are on GRC 5.3 SP8 and I am trying to create a mitigating control in RAR.  Once it goes for approval into CUP, it erroru2019s out when I try to approve it.  Here is the message:
    2010-05-25 10:57:43,367 [SAPEngine_Application_Thread[impl:3]_9] ERROR com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
    com.virsa.ae.service.ServiceException: com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
         at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.getCCDocument(RequestExitServiceHelper.java:315)
         at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callCCExitService(RequestExitServiceHelper.java:263)
         at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callExitServiceForApprovedRequest(RequestExitServiceHelper.java:51)
         at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:5391)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5230)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5023)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:946)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(AccessController.java:219)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
    Caused by:
    com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
         at com.virsa.ae.commons.utils.StringEncrypter.decrypt(StringEncrypter.java:200)
         at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.getCCDocument(RequestExitServiceHelper.java:305)
         ... 32 more
    Thanks,
    Peggy

    Hello Peggy,
      Did you recently upgraded your NW Java Support package? If yes, then kindly check the SAP Note "1417651 - Unable to retrieve connector & application configuration"
    The problem is coming due to change in NW encryption algorithm and impacted GRC as well. This is fixed in SP10 of GRC.
    Regards, Varun

  • GRC AC v10 SPM WF - Workflow Item not showing up in WF Inbox

    GRC AC v10 - SP12
    The outlook email notification for the Workflow Item goes out, but there is nothing in the NWBC Inbox for the WF Item. Subsitution is setup correctly.
    Any ideas?
    -john

    Hi John
    this is probably be a silly question but what substitution did you set up for ZFF_CTL_01? I assume the item is in that user's inbox. Which user is meant to be receiving?
    I also noticed this KB article (1589130) which mentions the delegated person needs GRAC_REQ authorisation. Have you checked if security access issue?
    There was also mention that the delegated approver does not appear in the MSMP instance runtime (your screen shot suggests same situation unless you have not set up the delegation). SP14 delivers the fix or refer to  1915928 - UAM: Delegated Approver is not visible in the Instance status
    Possibly have a look at both of them to see if they resolve your issue.
    Regards
    Colleen

  • GRC AC10 Mitigation Control Temporary Tables

    Hi everyone,
    I'm trying to find the table where GRC stores the organizational unit for a new mitigation control before the request is approved. As I could see, after approval (when the control is created) they are moved to HRP1000, 1001, etc.
    I've also tried with system trace (ST01 and ST05) but I could only find these tables: GRFNMWRTINST, GRFNMWRTINSTAPPL. Unfortunately I've checked them but they don't store OU data.
    Maybe it is stored in an XML file and that's why I cant reach the table.
    If you have any idea or any experience to share, I would really appreciate it!
    Thanks and regards,
    Fernando

    Hi Fernando
    Maybe it is stored in an XML file and that's why I cant reach the table.
    I was trying to figure out the same thing and suspected that was the case. Or if there might be a temporary text file
    I hope someone here can clear it up. But it's a bit annoying in the approach as you cannot tell what changes have been requested or compare changes to current. Hope SAP eventually cleans this up.
    Might need to trace it to identify the function module that is used by approver to view the request?
    Regards
    Colleen

  • Disable mitigation control workflow

    Hi community,
    one pretty simple question: I would like to be disable the mitigation control workflow, meaning, I would like to be able to directly save mitigation controls, without sending this through an approval process. I cannot find the associated activity in the spro. Can you please assist me on this?
    The way I saw this some time ago was that, if one disabled the mitigation control workflow, the Save button was visible in the mitigation control maintenance screen. When the workflow was enabled, the Submit button was visible (which, of course, makes sense). Now, I would like to be able to do this change.
    I did also look into transaction GRFNMW_CONFIGURE_WD - nothing suspicious here.
    Any help is highly appreciated. Thanks in advance!
    EM

    Hi EM,
    Please set 1061 and 1062 to NO as per your requirement for mitigation assignment and mitigation maintenance.
    BR,
    Mangesh

  • Error when trying to approve a mitigation control in CUP

    Hi,
    I have created a Mitigation Control in RAR and set-up the necessary workflow. The request ends up in CUP and the approver is able to see the request when he/she logs in, however the approver cannot approve or reject the request.
    The following error messages appear:
    - Approve: Error processing your request, Request no: 2 in stage : MITIGATION
    - Reject: Error rejecting request no: 2
    I have check the workflow many times now and I have also checked the mitigation URL's.
    Any idea what the problem can be?
    Thanks.

    Thank you for your response. No the approver is not part of the DL. I just added the approver to the workflow (CAD).
    Please find log details below:
    2010-03-18 16:09:32,729 [SAPEngine_Application_Thread[impl:3]_8] ERROR Service call exception; nested exception is:
         com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://vgrdci.sap.client.co.za:51900/VirsaCCWFExitService5_2Service/Config1?style=document"
    java.rmi.RemoteException: Service call exception; nested exception is:
         com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://vgrdci.sap.client.co.za:51900/VirsaCCWFExitService5_2Service/Config1?style=document"
         at com.virsa.ae.request.ws.cc.Config1BindingStub.execWFExitService(Config1BindingStub.java:87)
         at com.virsa.ae.request.ws.cc.Config1BindingStub.execWFExitService(Config1BindingStub.java:96)
         at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callCCExitService(RequestExitServiceHelper.java:263)
         at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callExitServiceForApprovedRequest(RequestExitServiceHelper.java:51)
         at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:5335)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5174)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:4967)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:928)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:425)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:455)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:455)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(AccessController.java:219)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
    Caused by:
    com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://vgrdci.sap.client.co.za:51900/VirsaCCWFExitService5_2Service/Config1?style=document"
         at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.handleResponseMessage(MimeHttpBinding.java:998)
         at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.call(MimeHttpBinding.java:1449)
         at com.virsa.ae.request.ws.cc.Config1BindingStub.execWFExitService(Config1BindingStub.java:80)
         ... 33 more

  • GRC CUP 5.3 SP16.3 Mitigation Controls automation removal

    Does anyone know that if you create any user requests to remove roles from a user, that if any mitigation controls were assigned to the users for those roles, the mitigating control ids can also be automatically removed from RAR during auto provisioning of the request?
    Right now, GRC CUP, if configured properly, during auto provisioning, will assign the mitigation controls automatically to the userid in RAR to mitigate the risks when the request is processed if the new access will give any SOD violations.  But if you remove the roles from a user and he/she had any mitigation ids assigned in RAR, can the request also automatically remove the mitigated control id associated with it if the user will no longer have that risk?  I have not seen the request automatically remove the mitigated id from RAR when the role was removed from the user id during auto provisioning. But I'm not sure if this requires additional workflow configuration or not.
    Will greatly appreciate if any1 is aware of this issue and how to resolve it. Or is the only solution to manually remove it from RAR..but this can be tiresome..bc then you have to run the report every week or month in RAR to remove the excessive controls assigned if the users do not have the risks anymore..comparing reports from current to previous month, etc.
    Thanks,
    A.

    Hi Alley,
    It is not possible to automate the removal of mitigation controls through a workflow in CUP. The only solution is to review on a regular basis and remove them manually from RAR
    We also has the same issue and performing manual review at regular intervals of the user & role assigned mitigation controls
    Best Regards,
    Srihari.K

  • SAP GRC AC10 Common Practices on Mitigation Control

    Hi all,
    Currently, our company is implementing the GRC tool globally and we are required to set up mitigation control. I would like to get some ideas about what structures are used in various companies. And are those mitigation control align with the internal audit practices?
    We are having some initial idea that setting up template for those mitigation control, but should these be applied to all companies? And if we set up in this way, do we still need to identify any approver and monitor in local organization?
    And the mitigation controls should be owned by global organization or compliance department or local organization?
    Please help.
    Thx!

    Hi "GRC_SAP_AUDIT"
    I presume that you have a single Global Ruleset used within the company to define the risks across the company, but some risks may not be applicable or realistically avoidable in certain parts of the organisation in different countries due to the possible nature of a "Small office" structure (i.e. a small team doing various types of job tasks which are bound to cause SOD conflicts etc). So you may want to create a control for a risk in one area/region, but not for another. This is all possible with GRC AC.
    You can have a Specific Risk assigned to as many Mitigating Control definitions; therefore if you had different controls in different countries for that risk, e.g. UK Risk F001 is to have control X applied, whilst USA Risk F001 is to have control Y applied, it is good practice to define it that way.
    With the example above, you can then assign regional Control Owners and Monitors. Usually, I recommend giving the ownership of controls to the regional/company/departmental leads (depending on your org structure) who would manage the control, as I strongly feel that this has to be business driven. The decision of what approach to take is yours, as you have to see what will be the best solution to implement within your organisation.
    Hope this helps. If you wish to add any further detail, im sure the forum members are happy to help.

Maybe you are looking for