GRC - Mitigation control maintenance workflow

Similar Messages

• GRC AC V10 - Mitigation Control Approval Workflow

  Hi guys,
  can me explain somebody the difference between the processID SAP_GRAC_CONTROL_ASGN und SAP_GRAC_CONTROL_MAINT?
  And as well can somebody provide me the initiator rule ID for both so that we can have a detailed look into the brfplus rule.
  We only want to mitigate controls via an controlowner approval and not a process for the creation of new controls.
  That means an asisgnment approval workflow for mitigation controls.
  Thanks a lot.

  Hello Alexa,
  Did you ever employ SAP_GRAC_CONTROL_ASGN ? Were you able to identify the included agents ?
  I am interested in identifying approvers for mitigating controls who can be included in the workflow but are not risk owners. Would you have any suggestions for this type of agent ?
  Any information would be appreciated.
  Thanks,
  Jamie

• Disable mitigation control workflow

  Hi community,
  one pretty simple question: I would like to be disable the mitigation control workflow, meaning, I would like to be able to directly save mitigation controls, without sending this through an approval process. I cannot find the associated activity in the spro. Can you please assist me on this?
  The way I saw this some time ago was that, if one disabled the mitigation control workflow, the Save button was visible in the mitigation control maintenance screen. When the workflow was enabled, the Submit button was visible (which, of course, makes sense). Now, I would like to be able to do this change.
  I did also look into transaction GRFNMW_CONFIGURE_WD - nothing suspicious here.
  Any help is highly appreciated. Thanks in advance!
  EM

  Hi EM,
  Please set 1061 and 1062 to NO as per your requirement for mitigation assignment and mitigation maintenance.
  BR,
  Mangesh

• Mass maintenance of Mitigation controls in GRC 10.0

  Dear All,
  How to do mass maintenance of mitigation in ARA of GRC 10.0. We successfully migrated the mitigation controls from 5.3 to 10.0. I need to change the monitors for many user conflicts and also add new user conflict mitigation controls. Is it possible to do a mass changes in GRC 10.0 as there is no upload functionality for mitigation controls
  Thanks and Best Regards,
  Srihari.K

  Hi Sri,
  you can achieve by downloading and uploading the mitigations.
  Go to SE38 and use the following program GRAC_DOWNLOAD_MIT_ASSIGNMENTS to download the file and make necessary changes to it and upload the file by using the following program GRAC_UPLOAD_MIT_ASSIGNMENTS.
  and put the active column in the file as X.
  Regards,
  Venugopal Ireni

• GRC CUP 5.3 SP16.3 Mitigation Controls automation removal

  Does anyone know that if you create any user requests to remove roles from a user, that if any mitigation controls were assigned to the users for those roles, the mitigating control ids can also be automatically removed from RAR during auto provisioning of the request?
  Right now, GRC CUP, if configured properly, during auto provisioning, will assign the mitigation controls automatically to the userid in RAR to mitigate the risks when the request is processed if the new access will give any SOD violations.  But if you remove the roles from a user and he/she had any mitigation ids assigned in RAR, can the request also automatically remove the mitigated control id associated with it if the user will no longer have that risk?  I have not seen the request automatically remove the mitigated id from RAR when the role was removed from the user id during auto provisioning. But I'm not sure if this requires additional workflow configuration or not.
  Will greatly appreciate if any1 is aware of this issue and how to resolve it. Or is the only solution to manually remove it from RAR..but this can be tiresome..bc then you have to run the report every week or month in RAR to remove the excessive controls assigned if the users do not have the risks anymore..comparing reports from current to previous month, etc.
  Thanks,
  A.

  Hi Alley,
  It is not possible to automate the removal of mitigation controls through a workflow in CUP. The only solution is to review on a regular basis and remove them manually from RAR
  We also has the same issue and performing manual review at regular intervals of the user & role assigned mitigation controls
  Best Regards,
  Srihari.K

• Bringing mitigating controls from PC to AC in GRC 10.0

  Hi ,
  I am going through remediation process in GRC 10.0, However there are no mitigation controls setup in AC.
  my client is asking me to copy all the mitigating controls from PC to AC.
  Is this possible ? if yes, What will be the process ?
  Thank you.

  Hi Sri,
  you can achieve by downloading and uploading the mitigations.
  Go to SE38 and use the following program GRAC_DOWNLOAD_MIT_ASSIGNMENTS to download the file and make necessary changes to it and upload the file by using the following program GRAC_UPLOAD_MIT_ASSIGNMENTS.
  and put the active column in the file as X.
  Regards,
  Venugopal Ireni

• CUP - Mitigation Controls in a Detour Workflow

  Hello everybody,
  I have a problem with a detour workflow in CUP.
  I choose the detour condition: "SoD violation".
  So in theory, if there is no conflicts the workflow don't take the detour path.
  We supposed that the user request has an SoD conflict.
  In the stage(s) before the detour, if we assign a mitigation control that mitigate the risk, the detour is still taken.
  I think the workflow swich systematically to the detour if the request had a conflict, even if the risks were deleted by an Mitigation Controls assignment.
  Does anyone have a solution to avoid the detour path if we mitigate the risks?
  Thank you in advance!!

  Ben,
     This is how CUP works. There is no configuration which allows you to ignore SOD violaton even if there is mitigation. You will have to live with this for now.
  Regards,
  Alpesh

• GRC AC10 Mitigation Control Temporary Tables

  Hi everyone,
  I'm trying to find the table where GRC stores the organizational unit for a new mitigation control before the request is approved. As I could see, after approval (when the control is created) they are moved to HRP1000, 1001, etc.
  I've also tried with system trace (ST01 and ST05) but I could only find these tables: GRFNMWRTINST, GRFNMWRTINSTAPPL. Unfortunately I've checked them but they don't store OU data.
  Maybe it is stored in an XML file and that's why I cant reach the table.
  If you have any idea or any experience to share, I would really appreciate it!
  Thanks and regards,
  Fernando

  Hi Fernando
  Maybe it is stored in an XML file and that's why I cant reach the table.
  I was trying to figure out the same thing and suspected that was the case. Or if there might be a temporary text file
  I hope someone here can clear it up. But it's a bit annoying in the approach as you cannot tell what changes have been requested or compare changes to current. Hope SAP eventually cleans this up.
  Might need to trace it to identify the function module that is used by approver to view the request?
  Regards
  Colleen

• Mitigating Control creation and application in SAP GRC 10

  Hi Expert,
  We have SAP GRC Access Control 10 being implemenmted for our client.  While trying to create Mitigating Control, we just realized that Before creating mitigating controls you need to create a Root Org entry, this replaces the Business Units in previous AC versions which is visible only when we activate the GRC-PC Application.
  My queries are:
  1. Is it that Mitigation control can only be created if PC is enable.
  2. What about Licencing if GRC-PC Application is used for Mitigating Control Creation.
  Thanking you i advance.
  Thanks & Regards,
  Abhimanu Kumar Singh

  HI,
  Thank you for the response, I just checked and could find that I can create Mitigating control without PC application. It is just that PC relevant fields are not displayed.
  However can anybody answer as to what happens if I use PC to create Mitigating Control, Do I have to purchase the license for SAP GRC PC or it is ok for shared resources.
  Thanks again.
  Thanks & Regards,
  Abhimanu Kumar Singh

• GRC 5.3 mitigation control

  Dear Guys,
  Please help me to understand the concept of mitigation control in GRC 5.3 and when it is useful and at what time we need to implement mitigation control.
  How could we mitigate user and on what criteria....????
  Also some brief about control monitor.
  Thanks in Advance......

  Hi Arpit,
  Steps for remediation and mitigation strategy is as below,
  Once you do risk analysis, you have the list of risk available in your system, after this you have the option to remove (Remediate) risk by removing conflicting permission or action from role.
  OR
  there is scenario where you have to accept the risk in this case you have to opt for mitigation control, just consider one example given below,
  Function A: Create PO
  Function B: Release PO
  Above two functions are conflicting and create risk in standard process, so as a standard practice, in reference to compliance SAP recommends to have two people doing it separately, but customer might not be having 2 postions in org to separate this, so customer has to accept the risk and create mitigation control to document this and put the monitoring control so one person can perform this function.
  This way it is helful to follow the compliance and when audit happens customer can show that they have identified the risk and documented it and put alternate monitoring control, so the risk cannot be misused.
  Hope this helps you understand it.
  BR,
  Mangesh

• SAP GRC AC10 Common Practices on Mitigation Control

  Hi all,
  Currently, our company is implementing the GRC tool globally and we are required to set up mitigation control. I would like to get some ideas about what structures are used in various companies. And are those mitigation control align with the internal audit practices?
  We are having some initial idea that setting up template for those mitigation control, but should these be applied to all companies? And if we set up in this way, do we still need to identify any approver and monitor in local organization?
  And the mitigation controls should be owned by global organization or compliance department or local organization?
  Please help.
  Thx!

  Hi "GRC_SAP_AUDIT"
  I presume that you have a single Global Ruleset used within the company to define the risks across the company, but some risks may not be applicable or realistically avoidable in certain parts of the organisation in different countries due to the possible nature of a "Small office" structure (i.e. a small team doing various types of job tasks which are bound to cause SOD conflicts etc). So you may want to create a control for a risk in one area/region, but not for another. This is all possible with GRC AC.
  You can have a Specific Risk assigned to as many Mitigating Control definitions; therefore if you had different controls in different countries for that risk, e.g. UK Risk F001 is to have control X applied, whilst USA Risk F001 is to have control Y applied, it is good practice to define it that way.
  With the example above, you can then assign regional Control Owners and Monitors. Usually, I recommend giving the ownership of controls to the regional/company/departmental leads (depending on your org structure) who would manage the control, as I strongly feel that this has to be business driven. The decision of what approach to take is yours, as you have to see what will be the best solution to implement within your organisation.
  Hope this helps. If you wish to add any further detail, im sure the forum members are happy to help.

• Mitigation control workflow for AC10

  We are configuring the Mitigation control workflow during the implementation of AC 10.
  I would like to know whether its mandatory to have the workflow for Mitigation approver and monitor. As per the implementation team there is no requirement for them as this is not covered during the rampup.  But I think this should be mandatory to have the mitigation approval worflow so all the mitigation risk should be approved before mitigating. Otherwise, security admin can mitigate any risk and complete the request.
  Please advice.

  Hi,
  Yes. It will be a manual process. In some of the organizations, risks identification and mitigation will be performed manually by the Business process owners, which means in reality there will not be any risks that pop-up in CUP or RAR since they are already mitigated for the user.
  If you don't want to enable the mitigation process in the workflow, you have to do it and record the evidences manually.
  Hope this answers.
  Regards,
  Raghu

• Transport of mitigation controls from GRC Dev to GRC Production in 10.0

  Hi All,
  Is there an option to transport mitigation controls from Dev to Prod in 10.0. Where is that option available. We could not find even download or upload option unlike 5.3 in 10.0
  Thanks and Best Regards,
  Srihari.K

  Hi
  I can see that this question is marked as answered . Could you please update what steps were taken for transporting mitigation controls? Thanks
  Best Regards
  Srilakshmi S

• GRC AC RAR: Comprehension question Mitigating Controls

  Hello all,
  I have a small comprehension question regarding Mitigating Controls.
  Situation:
  We have identified some authorization roles that contained lots of risks and we decided that they should not be used anymore. I therefore had our admins remove those roles from all the userIDs and update the role descriptions so it is clear that these roles are obsolete and must not be used anymore. For specific reasons we are currently not able to archive those roles in order to remove them from the system (can't delete them either for unclarified data retention questions).
  What has been done:
  1. I have created the necessary userIDs for Management Approver, Monitor, etc. in tab Mitigation -> Administrators -> Create
  2. I have created the necessary business unit and assigned to userIDs created in 1. in tab Mitigation -> Business Units -> Create
  3. I have created a Mitigation Control "Obsolete Roles" in tab Mitigation -> Mitigating Controls -> Create
  4. Within the Mitigatin Control I have mitigated all associated risks in tab "Associated Risks", added a userID in tab "Monitors" and I have added all the obsolete roles using the button "Mitigate roles"
  What I want to achieve:
  - Roles should not show up in the analysis anymore -> I've checked that and it works as expected
  - I now want the userID I added in tab "Monitors" and when mitigating the roles to regularly check in the SAP system whether the mitigated roles have been assigned to any userIDs again (using PFCG or any other suitable report in the system).
  Can I achieve that by using tab "Reports" within the Mitigating Control ?
  If I provide the system in column "System", provide "PFCG" in column "Action", "Use PFCG to check is role is assigned again" in "Description", add the userID in tab "Monitor" and set Frequency to "4" this would mean that that userID needs to check whether the roles have been used again at least every 4 weeks ?
  Will the system automatically send a reminder eMail to that userID every 4 weeks or does the user have to check the RAR manually in order to see "his/her" tasks ?
  Regards,
  Benjamin

  Hi Jwalant,
  sorry for my late reply, but I have waited for a few weeks to make be sure wheather the way you described works or not.
  - The background job gets executed once a week and finishes without any error.
  - The only thing that doesn't work is that the userID that I maintained in clolumn "monitor" and for which I defined a mitigation control which has to be executed every 2-weeks (using column "report") does NOT get a mail from the system that reminds him/her to execute the mitigating control.
  Log of background job execution:
  INFO: -
  Scheduling Job =>16----
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob run
  INFO: --- Starting Job ID:16 (GENERATE_ALERT) - Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 16 Status: Running
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  1@@Msg is Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=16, status=1, message=Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Alert Generation Started @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Conflict Risk Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Critical Risk Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@ Mitigation Monitor Control Input has 1 records @@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO:  @@@@@ Backend Access Interface execution has been started @@@@@
  Mar 28, 2011 4:00:00 AM com.virsa.cc.common.util.ExceptionUtil logError
  SEVERE: null
  java.lang.NullPointerException
       at com.virsa.cc.comp.wdp.IPublicBackendAccessInterface$IStatRecInputElement.wdGetObject(IPublicBackendAccessInterface.java)
       at com.sap.tc.webdynpro.progmodel.context.NodeElement.getAttributeAsText(NodeElement.java:888)
       at com.virsa.cc.comp.BackendAccessInterface.execBAPI(BackendAccessInterface.java:401)
       at com.virsa.cc.comp.BackendAccessInterface.executeBAPI(BackendAccessInterface.java:302)
       at com.virsa.cc.comp.BackendAccessInterface.get_TcodeLog_Rec(BackendAccessInterface.java:2800)
       at com.virsa.cc.comp.BackendAccessInterface.alertGenerate(BackendAccessInterface.java:1940)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface.alertGenerate(InternalBackendAccessInterface.java:4355)
       at com.virsa.cc.comp.wdp.InternalBackendAccessInterface$External.alertGenerate(InternalBackendAccessInterface.java:4824)
       at com.virsa.cc.xsys.bg.BgJob.alertGen(BgJob.java:1666)
       at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:697)
       at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:362)
  here it keeps ranting on for pages about Null Pointer Exceptions
  I'll just leave that part out
  Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO:  -
  No of Records Inserted in ALTCDLOG =>16 For System =>XXX_xxx -
  Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
  INFO: ==$$$===Notif Current Date=>2011-03-28==$$$==Notif Current Time=>04:00:00===$$$===
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.mgmbground.dao.AlertStats execute
  INFO: Start AlertStats.............
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob alertGen
  INFO: @@@=== Alert Generation Completed Successfully!===@@@
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob setStatus
  INFO: Job ID: 16 Status: Complete
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
  FINEST: --- @@@@@@@@@@@ Updating the Job History -
  0@@Msg is Job Completed successfully
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
  INFO: -
  Background Job History: job id=16, status=0, message=Job Completed successfully
  Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
  INFO: -
  Complted Job =>16----
  - Anothjer thing I noticed is that the job always adds some entries to table "ALTCDLOG" which I guess means something like "Alert T-Code Log".
  It always adds entries like:
  581 XXX_XXX userID#1 SE16 2011-03-21 07:49:44 xxx 5
  582 XXX_XXX userID#1 SM37 2011-03-21 07:55:44 xxx 5
  Where does the system get the information which T-Codes are "bad" and for which it needs to create those entries ? I have never configured anything like that in the system.
  Or is this an indicator that the authorization roles I mitigated have been used again ?
  Regards,
  Benjamin

• Delete mitigation control

  Hello
  I am testing our access request workflows and applied a try to delete mitigation control.
  The workflow is work fine, but the mitigation control still exist.
  The same problem when i try to delete a mitigation user, the workflow work fine and the mitigation user still exist.
  Mi GRC is SP 13.
  Regards-

  Hi,
  Perform the tasks listed in:
  1.Run transaction SM30
  2. Display the view GRFNPARENT in change mode
  3. Add new line
  4. Entity = SUBPROCESS
  5. Parent = ORGUNIT
  Still the problem persists.
  Regards.