Mitigating Control Management Approver

Hello,
What is the significance of the Management Approver when creating a Mitigating Control?  I do not see any approval process in GRC .  Does this relate to setting up workflow?
thanks
Tammi

Hi Tammi,
Do you have any process documentation on mitigating controls?  I don't need to know how to create them in GRC - I've got that covered.  However from a non technical audit perspective, there's a process around creating a control, prior to having to set it up in the system.  Do you have anything in that area?
If you do and you don't mind sharing, I would most appreciate it.
Thanks,
Santosh

Similar Messages

  • Mitigation control errors out in CUP approval

    We are on GRC 5.3 SP8 and I am trying to create a mitigating control in RAR.  Once it goes for approval into CUP, it erroru2019s out when I try to approve it.  Here is the message:
    2010-05-25 10:57:43,367 [SAPEngine_Application_Thread[impl:3]_9] ERROR com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
    com.virsa.ae.service.ServiceException: com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
         at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.getCCDocument(RequestExitServiceHelper.java:315)
         at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callCCExitService(RequestExitServiceHelper.java:263)
         at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callExitServiceForApprovedRequest(RequestExitServiceHelper.java:51)
         at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:5391)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5230)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5023)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:946)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(AccessController.java:219)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
    Caused by:
    com.virsa.ae.commons.utils.StringEncrypter$EncryptionException: Invalid PKCS#5 padding length: 32
         at com.virsa.ae.commons.utils.StringEncrypter.decrypt(StringEncrypter.java:200)
         at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.getCCDocument(RequestExitServiceHelper.java:305)
         ... 32 more
    Thanks,
    Peggy

    Hello Peggy,
      Did you recently upgraded your NW Java Support package? If yes, then kindly check the SAP Note "1417651 - Unable to retrieve connector & application configuration"
    The problem is coming due to change in NW encryption algorithm and impacted GRC as well. This is fixed in SP10 of GRC.
    Regards, Varun

  • Error when trying to approve a mitigation control in CUP

    Hi,
    I have created a Mitigation Control in RAR and set-up the necessary workflow. The request ends up in CUP and the approver is able to see the request when he/she logs in, however the approver cannot approve or reject the request.
    The following error messages appear:
    - Approve: Error processing your request, Request no: 2 in stage : MITIGATION
    - Reject: Error rejecting request no: 2
    I have check the workflow many times now and I have also checked the mitigation URL's.
    Any idea what the problem can be?
    Thanks.

    Thank you for your response. No the approver is not part of the DL. I just added the approver to the workflow (CAD).
    Please find log details below:
    2010-03-18 16:09:32,729 [SAPEngine_Application_Thread[impl:3]_8] ERROR Service call exception; nested exception is:
         com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://vgrdci.sap.client.co.za:51900/VirsaCCWFExitService5_2Service/Config1?style=document"
    java.rmi.RemoteException: Service call exception; nested exception is:
         com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://vgrdci.sap.client.co.za:51900/VirsaCCWFExitService5_2Service/Config1?style=document"
         at com.virsa.ae.request.ws.cc.Config1BindingStub.execWFExitService(Config1BindingStub.java:87)
         at com.virsa.ae.request.ws.cc.Config1BindingStub.execWFExitService(Config1BindingStub.java:96)
         at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callCCExitService(RequestExitServiceHelper.java:263)
         at com.virsa.ae.accessrequests.bo.RequestExitServiceHelper.callExitServiceForApprovedRequest(RequestExitServiceHelper.java:51)
         at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:5335)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5174)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:4967)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:928)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:425)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:455)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:455)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(AccessController.java:219)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
    Caused by:
    com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (401) Unauthorized. The requested URL was:"http://vgrdci.sap.client.co.za:51900/VirsaCCWFExitService5_2Service/Config1?style=document"
         at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.handleResponseMessage(MimeHttpBinding.java:998)
         at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.call(MimeHttpBinding.java:1449)
         at com.virsa.ae.request.ws.cc.Config1BindingStub.execWFExitService(Config1BindingStub.java:80)
         ... 33 more

  • GRC AC V10 - Mitigation Control Approval Workflow

    Hi guys,
    can me explain somebody the difference between the processID SAP_GRAC_CONTROL_ASGN und SAP_GRAC_CONTROL_MAINT?
    And as well can somebody provide me the initiator rule ID for both so that we can have a detailed look into the brfplus rule.
    We only want to mitigate controls via an controlowner approval and not a process for the creation of new controls.
    That means an asisgnment approval workflow for mitigation controls.
    Thanks a lot.

    Hello Alexa,
    Did you ever employ SAP_GRAC_CONTROL_ASGN ? Were you able to identify the included agents ?
    I am interested in identifying approvers for mitigating controls who can be included in the workflow but are not risk owners. Would you have any suggestions for this type of agent ?
    Any information would be appreciated.
    Thanks,
    Jamie

  • Query on Mitigation Control

    Hi all,
    We have configured Mitigation Controls and mitigated some of the users. We have the following queries in this regard:
    a) When we run the SoD anlaysis for that particular user we could able to see only half description of the Mitigation Control.
    Is there any limitation for the space or the parameters for the Mitigation Control Description.We are unable to see the entire description of the Mitigation Control (If the mitigation control is more than 7-8 lines) in the Detailed Report screen as well. Even after downloading into a spreadsheet also we are getting only the part of the mitigation control and not the entire description of the mitigation control
    b) A risk ID can be addressed by 2 or 3 mitigation controls. In this scenario,we have assigned 2-3 mitigation controls to one Mitigated user for mitigation. When we run SoD analysis we could able to see only the latest mitigation control assigned to the user in the report format (say out of 3 assigned only the 3rd one assigned is being shown).
    But when we did a search for Mitigation controls with  the Risk ID & User ID combination then it is throwing all the 3 mitigation controls. But the same is not shown in SoD violations reports
    Is there anything to do with the parameters set up or at the configuration side to resolve this.
    Please provide the procedure also in case of any changes to be made at configuration level.
    Thanks and Best Regards,
    Sri

    Hi Vit,
    Thanks for your reply. We crosschecked and you are correct that the space limitation is only for 132 characters in this table.
    Is there a way to get the mitigation control whole description or do we need to stick to this limitation itself.
    Also, when we did a search for Mitigation Control it gives only Mit.ID, Mit Control Desc, BU and Management approver. Whether there are any tables (from SAP Backend) or reports where we can get the Risk Ids including the above addressed by the mitigation controls.
    Thanks and Best Regards,
    Sri

  • GRC AC RAR: Comprehension question Mitigating Controls

    Hello all,
    I have a small comprehension question regarding Mitigating Controls.
    Situation:
    We have identified some authorization roles that contained lots of risks and we decided that they should not be used anymore. I therefore had our admins remove those roles from all the userIDs and update the role descriptions so it is clear that these roles are obsolete and must not be used anymore. For specific reasons we are currently not able to archive those roles in order to remove them from the system (can't delete them either for unclarified data retention questions).
    What has been done:
    1. I have created the necessary userIDs for Management Approver, Monitor, etc. in tab Mitigation -> Administrators -> Create
    2. I have created the necessary business unit and assigned to userIDs created in 1. in tab Mitigation -> Business Units -> Create
    3. I have created a Mitigation Control "Obsolete Roles" in tab Mitigation -> Mitigating Controls -> Create
    4. Within the Mitigatin Control I have mitigated all associated risks in tab "Associated Risks", added a userID in tab "Monitors" and I have added all the obsolete roles using the button "Mitigate roles"
    What I want to achieve:
    - Roles should not show up in the analysis anymore -> I've checked that and it works as expected
    - I now want the userID I added in tab "Monitors" and when mitigating the roles to regularly check in the SAP system whether the mitigated roles have been assigned to any userIDs again (using PFCG or any other suitable report in the system).
    Can I achieve that by using tab "Reports" within the Mitigating Control ?
    If I provide the system in column "System", provide "PFCG" in column "Action", "Use PFCG to check is role is assigned again" in "Description", add the userID in tab "Monitor" and set Frequency to "4" this would mean that that userID needs to check whether the roles have been used again at least every 4 weeks ?
    Will the system automatically send a reminder eMail to that userID every 4 weeks or does the user have to check the RAR manually in order to see "his/her" tasks ?
    Regards,
    Benjamin

    Hi Jwalant,
    sorry for my late reply, but I have waited for a few weeks to make be sure wheather the way you described works or not.
    - The background job gets executed once a week and finishes without any error.
    - The only thing that doesn't work is that the userID that I maintained in clolumn "monitor" and for which I defined a mitigation control which has to be executed every 2-weeks (using column "report") does NOT get a mail from the system that reminds him/her to execute the mitigating control.
    Log of background job execution:
    INFO: -
    Scheduling Job =>16----
    Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob run
    INFO: --- Starting Job ID:16 (GENERATE_ALERT) - Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION
    Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob setStatus
    INFO: Job ID: 16 Status: Running
    Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
    FINEST: --- @@@@@@@@@@@ Updating the Job History -
    1@@Msg is Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
    Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
    INFO: -
    Background Job History: job id=16, status=1, message=Z_SAP_GRC_AC_RAR_MITIGATION_CONTROL_ALERT_GENERATION started :threadid: 2
    Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
    INFO: @@@ Alert Generation Started @@@
    Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
    INFO: @@@ Conflict Risk Input has 1 records @@@
    Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
    INFO: @@@ Critical Risk Input has 1 records @@@
    Mar 28, 2011 4:00:00 AM com.virsa.cc.xsys.bg.BgJob alertGen
    INFO: @@@ Mitigation Monitor Control Input has 1 records @@@
    Mar 28, 2011 4:00:00 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
    INFO:  @@@@@ Backend Access Interface execution has been started @@@@@
    Mar 28, 2011 4:00:00 AM com.virsa.cc.common.util.ExceptionUtil logError
    SEVERE: null
    java.lang.NullPointerException
         at com.virsa.cc.comp.wdp.IPublicBackendAccessInterface$IStatRecInputElement.wdGetObject(IPublicBackendAccessInterface.java)
         at com.sap.tc.webdynpro.progmodel.context.NodeElement.getAttributeAsText(NodeElement.java:888)
         at com.virsa.cc.comp.BackendAccessInterface.execBAPI(BackendAccessInterface.java:401)
         at com.virsa.cc.comp.BackendAccessInterface.executeBAPI(BackendAccessInterface.java:302)
         at com.virsa.cc.comp.BackendAccessInterface.get_TcodeLog_Rec(BackendAccessInterface.java:2800)
         at com.virsa.cc.comp.BackendAccessInterface.alertGenerate(BackendAccessInterface.java:1940)
         at com.virsa.cc.comp.wdp.InternalBackendAccessInterface.alertGenerate(InternalBackendAccessInterface.java:4355)
         at com.virsa.cc.comp.wdp.InternalBackendAccessInterface$External.alertGenerate(InternalBackendAccessInterface.java:4824)
         at com.virsa.cc.xsys.bg.BgJob.alertGen(BgJob.java:1666)
         at com.virsa.cc.xsys.bg.BgJob.runJob(BgJob.java:697)
         at com.virsa.cc.xsys.bg.BgJob.run(BgJob.java:362)
    here it keeps ranting on for pages about Null Pointer Exceptions
    I'll just leave that part out
    Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
    INFO:  -
    No of Records Inserted in ALTCDLOG =>16 For System =>XXX_xxx -
    Mar 28, 2011 4:00:29 AM com.virsa.cc.comp.BackendAccessInterface alertGenerate
    INFO: ==$$$===Notif Current Date=>2011-03-28==$$$==Notif Current Time=>04:00:00===$$$===
    Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.mgmbground.dao.AlertStats execute
    INFO: Start AlertStats.............
    Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob alertGen
    INFO: @@@=== Alert Generation Completed Successfully!===@@@
    Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob setStatus
    INFO: Job ID: 16 Status: Complete
    Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.BgJob updateJobHistory
    FINEST: --- @@@@@@@@@@@ Updating the Job History -
    0@@Msg is Job Completed successfully
    Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.bg.dao.BgJobHistoryDAO insert
    INFO: -
    Background Job History: job id=16, status=0, message=Job Completed successfully
    Mar 28, 2011 4:00:29 AM com.virsa.cc.xsys.riskanalysis.AnalysisDaemonBgJob scheduleJob
    INFO: -
    Complted Job =>16----
    - Anothjer thing I noticed is that the job always adds some entries to table "ALTCDLOG" which I guess means something like "Alert T-Code Log".
    It always adds entries like:
    581 XXX_XXX userID#1 SE16 2011-03-21 07:49:44 xxx 5
    582 XXX_XXX userID#1 SM37 2011-03-21 07:55:44 xxx 5
    Where does the system get the information which T-Codes are "bad" and for which it needs to create those entries ? I have never configured anything like that in the system.
    Or is this an indicator that the authorization roles I mitigated have been used again ?
    Regards,
    Benjamin

  • SAP GRC AC10 Common Practices on Mitigation Control

    Hi all,
    Currently, our company is implementing the GRC tool globally and we are required to set up mitigation control. I would like to get some ideas about what structures are used in various companies. And are those mitigation control align with the internal audit practices?
    We are having some initial idea that setting up template for those mitigation control, but should these be applied to all companies? And if we set up in this way, do we still need to identify any approver and monitor in local organization?
    And the mitigation controls should be owned by global organization or compliance department or local organization?
    Please help.
    Thx!

    Hi "GRC_SAP_AUDIT"
    I presume that you have a single Global Ruleset used within the company to define the risks across the company, but some risks may not be applicable or realistically avoidable in certain parts of the organisation in different countries due to the possible nature of a "Small office" structure (i.e. a small team doing various types of job tasks which are bound to cause SOD conflicts etc). So you may want to create a control for a risk in one area/region, but not for another. This is all possible with GRC AC.
    You can have a Specific Risk assigned to as many Mitigating Control definitions; therefore if you had different controls in different countries for that risk, e.g. UK Risk F001 is to have control X applied, whilst USA Risk F001 is to have control Y applied, it is good practice to define it that way.
    With the example above, you can then assign regional Control Owners and Monitors. Usually, I recommend giving the ownership of controls to the regional/company/departmental leads (depending on your org structure) who would manage the control, as I strongly feel that this has to be business driven. The decision of what approach to take is yours, as you have to see what will be the best solution to implement within your organisation.
    Hope this helps. If you wish to add any further detail, im sure the forum members are happy to help.

  • Mitigating controls

    Good day all,
    I have been tasked with creating "generic" mitigating controls for all risks in our 5.3 GRC installation. This means I must develop about 280 general mitigating controls. This is so that when we do an install at a client, we can assist them quickly to populate the mitigating risks. Has anyone done this? If so would you be able to share the information with me.
    Thank you
    Regards
    Jill

    Dear Jill,
    The controls should address the risks associated with the processes represented by sub processes,activities.This -control - is scenario specific.A control that could be effective for a scenario may be ineffective for the other.For example a depot - tiny retail outlet having a low volume of Turnover-manager can handle issue of goods,invoicing and the receipt of money.But this scenario will be a serious SOD issue for scenarios other than for tiny retail outlets.controls are complex in nature and work differently for different scenarios..
    The control environment,Firm's maturity,management's risk appetitte-all these have a telling effect on the risks and controls.
    While a general understanding of the risks and the relevant controls is certainly a good idea;adapting generic controls to the business situations without analysing the risks,its impact will be dangerous.Any control before being implemented should be simulated and approved by the risk/control/process owners.
    My 2 cents.
    Regards
    Ramesh

  • Workaround for non-SAP mitigating control reminders

    Dear all,
    Our business users would like to document mitigating controls in RAR 5.3 regardless of whether they are connected with an SAP report. They would also like to receive email reminders for those controls.
    Unfortunately, the frequency of the control can only be defined per connected SAP report and reminders will only be sent for controls if the SAP report has not been executed.
    Have you been exposed with a similar requirement? It seems like a natural thing to ask from a business perspective. RAR 5.3, however, is not designed in that way.
    Have you come up with any feasible workarounds for this?
    My current approach would be to create a dummy Z-report per SAP system (such as Z_MANUAL_MITCTRL) that control monitors have to call once to confirm the execution of their control.
    Cheers and best regards
    Patrick

    Hello,
    Regarding your question, in fact this is dependant on how your UME (User Management Engine) is configured on your WAS (Web Application Server). If the UME is connected to your R/3 back-end then the user need to have a R/3 account to connect to CC, otherwise if your UME is "independant" then you just need to create an account in the UME.
    Regards,
    Jérôme.

  • CUP-5.3-SP13-Mitigation Controls by rol/users

    Hi all!
    Since RAR consider mitigations contros both by rol and users, If I have the role ZROL1 mitigated for the ID risk P001* then, would be able CUP to consider this mitigation control even when CUP is managing users?
    I mean, if ZROL1 has a mitigation control, would appear at the request the ID risk whenever I add this role to a user?
    Many thanks in advance! any help would be welcomed.
    Margarita.

    Hi Margarita,
    If you want it will consider the role level mitigation controls. So in the request risk violation will not be shown.
    For this u need check the option, consider mitigation control in CUP. Configuration-> Risk anlsysis.
    Also in RAR following things needs to be done.
    RAR Configuration->Risk analysis-> Defaults values.
    Exclude mitigated Risk as yes.
    RAR Configuration-> Risk Analysis ->Additional options
    Include Role/Profile Mitigating Controls in User Analysis  as yes.
    If above values are defined as No. than Risk Voilation will be shown in the request.
    Kind Regards,
    Srinivasan

  • GRC AC10 Mitigation Control Temporary Tables

    Hi everyone,
    I'm trying to find the table where GRC stores the organizational unit for a new mitigation control before the request is approved. As I could see, after approval (when the control is created) they are moved to HRP1000, 1001, etc.
    I've also tried with system trace (ST01 and ST05) but I could only find these tables: GRFNMWRTINST, GRFNMWRTINSTAPPL. Unfortunately I've checked them but they don't store OU data.
    Maybe it is stored in an XML file and that's why I cant reach the table.
    If you have any idea or any experience to share, I would really appreciate it!
    Thanks and regards,
    Fernando

    Hi Fernando
    Maybe it is stored in an XML file and that's why I cant reach the table.
    I was trying to figure out the same thing and suspected that was the case. Or if there might be a temporary text file
    I hope someone here can clear it up. But it's a bit annoying in the approach as you cannot tell what changes have been requested or compare changes to current. Hope SAP eventually cleans this up.
    Might need to trace it to identify the function module that is used by approver to view the request?
    Regards
    Colleen

  • Disable mitigation control workflow

    Hi community,
    one pretty simple question: I would like to be disable the mitigation control workflow, meaning, I would like to be able to directly save mitigation controls, without sending this through an approval process. I cannot find the associated activity in the spro. Can you please assist me on this?
    The way I saw this some time ago was that, if one disabled the mitigation control workflow, the Save button was visible in the mitigation control maintenance screen. When the workflow was enabled, the Submit button was visible (which, of course, makes sense). Now, I would like to be able to do this change.
    I did also look into transaction GRFNMW_CONFIGURE_WD - nothing suspicious here.
    Any help is highly appreciated. Thanks in advance!
    EM

    Hi EM,
    Please set 1061 and 1062 to NO as per your requirement for mitigation assignment and mitigation maintenance.
    BR,
    Mangesh

  • Implementing Mitigation Control IDs

    Hi,
    We are planning to implement mitigation control ids in GRC. Currently we are only having 1 mitigation control id and all the users are mitigated into this id.
    Now, the plan is to include the mitigation control advise/comments by the SOD approvers into the GRC and thus by introducing multiple mitigation control id we could achieve this.
    In our system users are mapped as per the Business Unit and we have around 25-30 business units. so each BU is have a seprate mitigation control approval (SOD Approver).
    We have around 150 Risk IDs.
    We are not able to understand how to design mitigation control IDs in such case? Is it a best practice to create mitigation control ID for each Risk ID in the system (May be we can group similar Risk IDs)? Your help is appreciated.
    Thanks,
    Umesh

    Hi Umesh,
    No, for 1 Mitigation COntrol there are serveral Monitors and users who are mitigated are added to only 1 mitigation control id.
    Which means you have multiple people monitoring every risk in your system. Does all of the monitors belong to the same functional group?? If yes, what happens if there is a risk in other functional groups? How they can identify and monitor it??
    If no, why a FI functional group monitor, needs to monitor the risk related to other groups?
    Can you pls explain more on primary and secondary functions?
    If the risk is related to one functional area only, the respective functional area will own it. If it is a cross functional risk, then it will be owned by both the functional area managers, which is often referred as primary and secondary functions.
      and what are the disadvantage of creating 1 mitigation control id for each risk (may be grouping some risks) considering the fact that we have 25 business units.
    It is just like giving 1 coke with 100 straws while you still have a stock in your refrigerator
    Regards,
    Raghu

  • Creating Mitigation Control from CUP

    Hi Guys,
    Is this feature implemented in Access Control???? Or Stills as enhancement

    Hi Alpesh
    In order to your answer... Can you help me to identify what I doing wrong when I want to approve a mitigate control in CUP.
    Path 1 : Approve request
    Stage 1: Request
    Stage 2: Security
    Stage 3: Role Owner
    Detour Path:
    Type: CUP
    Stage: Role Owner
    Condition: SoD Review
    Detour Path: Path 2
    Path 2:
    Stage 1: Approval -- > CAD : Mitigation Monitor
    The request is send to the Mitigation Monitor but when we try to approve request show the next error:
    2010-03-30 14:10:26,390 [SAPEngine_Application_Thread[impl:3]_25] ERROR  Mitigation control TEST_5.1 could not be saved for user PRUEBAGRC_6
    com.virsa.ae.core.BOException: Exception from the service : Mitigation record doesn't exist
         at com.virsa.ae.accessrequests.bo.MitigationControlBO.insertMitigationControl(MitigationControlBO.java:207)
         at com.virsa.ae.accessrequests.bo.MitigationControlBO.saveMitigationControls(MitigationControlBO.java:321)
         at com.virsa.ae.accessrequests.bo.RequestBO.callAEExitService(RequestBO.java:6993)
         at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:6748)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:6600)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:6393)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:949)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:104)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    Caused by: com.virsa.ae.service.ServiceException: Exception from the service : Mitigation record doesn't exist
         at com.virsa.ae.service.sap.MitigationControlWS52DAO.checkForSuccess(MitigationControlWS52DAO.java:832)
         at com.virsa.ae.service.sap.MitigationControlWS52DAO.executeUpdateUserMitigation(MitigationControlWS52DAO.java:287)
         at com.virsa.ae.service.sap.MitigationControlWS52DAO.insertUserMitigation(MitigationControlWS52DAO.java:309)
         at com.virsa.ae.accessrequests.bo.MitigationControlBO.insertMitigationControl(MitigationControlBO.java:195)
    Can you help me please?? All URI are OK.
    Thanks !!!!
    Edited by: Karen_sans on Mar 31, 2010 7:45 PM

  • Credit Management Approval-Reg

    Hi,
    I am in a implementation of SD. where in we have credit management is activated. Here the requirement is like as follows:
    Client Wanted the three approval  Hierarchy Like Credit Control Manager, Finance Manager & Managing Director.
    These three levels will have the certain limit. Like Over all limit to Customer is
    $ 20000/-
    Credit Control Manager : $5000
    Finance Manager : $5001 to $15000
    Managing Director:$15001 t0 $20000
    Can we have the above mentioned way to know the appoval process for Credit limits.Can any one list and provide the solution to my requirement.
    Thanks & Regards
    Srinivasa Rao P

    Have a same requirement. Keeping myself posted on this thread. Thnks!

Maybe you are looking for

  • Installation problems Officejet 5610 All in One on Windows 8.1 64 bit

    I have a HP Officejet 5610 All-in-One printer that I have  had for a few years. It has worked well on the old computer but the computer died. I purchased a new Dell Laptop with the Windows 8.1 64 bit operating system. The printer works fine but the s

  • FileDownload from Content-Server (Knowledge Provider)

    Hi, I am trying to download a File via FileDownload UI from the Conent-Server. The Files are from Type: Knowledge Provider (KPro).  I get the following InputStream (Character from 01-12 + Binary from 13-17) : I need only the binary part, the lines fr

  • Monitoring of RFC

    Hi, I have a very simple question but I have forgotten how to do this. I try to call a BAPI via XI. Where in the XI environment can I monitor or check, which RFC call got to the XI system and why error occurs. Thanks for your assistance. Regards Flor

  • Does anyone have a solution for the unstability on ios6

    Hi, i have recently downloaded and installed the latest software, ios6.    I really like the updated theme (i.e. I like the music player screen and the app store layout) However, i am sorely disappointed with the performance. The software is very uns

  • Error when Executing the Report - No Authorization for Multiprovider

    Hello Experts, After the upgrade has carried out in my Quality system, I'm unable to execute a query because of the authorization issue with Multiprovider. But earlier the same Authorization was assigned to the my ID. The Role in Q and the Role in P