Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

GRC MSMP Issue, Request cannot be approved Mitigate Y.. Risk(s)

former_member458446
Explorer

on ‎2019 Jun 03 7:40 PM

5,497

Our current Production setup is like Role owner can approve the request even if the request has risks and it would next goto risk mitigation team to approve the request, this was working fine in development also, all of a sudden things changed, now role owner is unable to approve the request if the request has risks, I checked everything, all the msmp configurations are same as production.

I checked the path ID and the check box to approve despite risk,tried both (Checked and unchecked) it dint work

Checked the Role owner Routing enable and Rule ID GRAC_SOD.... violation is linked and the agents, I am still confused what is missing, any help would be apprecicated

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
madhusap
Active Contributor
‎2019 Jun 04 2:49 AM

Hi Sudhakar,

Can you check following settings:

Configuration Setting 1

Stage Level setting “Approver Despite Risk” is set to “No” for your Role Owner stage

Configuration Setting 2

Parameter 1072 – Mitigation of critical risk required before approving the request is set as “NO”.

Configuration Setting 3

SPRO =>Governance, Risk and Compliance =>Access Control =>Maintain AC Applications and BRFPlus Function Mapping and check the mapping for application “Request Mitigation Policy”.

Check if request mitigation policy entry exists or not. If it does not exist this could be the reason for your issue.

These 3 settings are related to configuration to enforce approvers to mitigate the risk before approving the request.

Let me know the outcome after verification.

Regards,

Madhu

Accepted Solutions (0)

Answers (15)

Answers (15)

former_member458446
Explorer
‎2019 Jun 05 6:49 PM
0 Likes

I all, I guess I fixed the issue by doing some other changes in MSMP and AC(SPRO), I will shortly post the steps I have done, so that it would help others

Show replies
Show replies
arpita_deshpande
Associate
Associate
‎2020 Mar 22 7:25 AM
0 Likes

hi, can you please share the fixes you have made since I am also facing the same issue.

Thanks

Arpita

former_member458446
Explorer
‎2019 Jun 05 3:41 PM
0 Likes

failed.jpg, done with the recommended settings and activated the msmp version, still failed.

Show replies
Show replies
former_member458446
Explorer
‎2019 Jun 05 3:02 PM
0 Likes


Hi Ramesh,Thank you I will try that now and update you how it went

Show replies
Show replies
RameshVithanala
Active Participant
‎2019 Jun 05 2:53 PM
0 Likes

Hi Sudhakar,

If Approve Despite Risk is checked then role owner can approve the GRC request with out any mitigation control.

RT Config change is your task setting screenshot,what it do is the configuration applies to the existing GRC requests.

Thanks

Ramesh

Show replies
Show replies
former_member458446
Explorer
‎2019 Jun 05 1:53 AM
0 Likes

Hi Ramesh,

if Approve Despite Risk is checked, then role owner might be forced to approve the risk after mitigation right, our requirement is role owner should be allowed to approve the request even if it had risks and risk mitigation team should be not be allowed to approve without mitigation.

The change user is routing to Role owner not manager, yes we have one stage as role owner approval and detour path is to send the request to Risk mitigation team

What is RT config change? where do you see this? does it needs to be checked?

let me know if you need any additional details

Thanks

Show replies
Show replies
RameshVithanala
Active Participant
‎2019 Jun 04 5:18 PM
0 Likes

And also I noticied RT Config Change OK is not checked.

Thanks

Show replies
Show replies
RameshVithanala
Active Participant
‎2019 Jun 04 5:14 PM
0 Likes

Approve Despite Risk is not checked and also is change user path going to manager for approval?(as per the path I see only one stage)

Thanks

Ramesh

Show replies
Show replies
former_member458446
Explorer
‎2019 Jun 04 3:57 PM
0 Likes

Please find the details, let me know if you need any additional screenshots, I can share1.jpg2.jpg3.jpg4.jpg5.jpg

Show replies
Show replies
former_member458446
Explorer
‎2019 Jun 04 3:44 PM
0 Likes

Hi Madhu, I agreeing with your approach but selling your idea to existing landscape will be a challenge, I will share the details of work flow shortly

Show replies
Show replies
RameshVithanala
Active Participant
‎2019 Jun 04 1:25 PM
0 Likes

Hi Sudhakar,

Can you share more details(screenshots would help) about the your paths(stage level settings)/agents/routing rules?

Thanks

Ramesh

Show replies
Show replies
former_member458446
Explorer
‎2019 Jun 04 6:46 AM
0 Likes

Hi Madhu, you are correct, I tested by only adding back the risk mitigation policy back

SPRO =>Governance, Risk and Compliance =>Access Control =>Maintain AC Applications and BRFPlus Function Mapping and check the mapping for application “Request Mitigation Policy”. and Config 1 we already had unchecked and config two, I still kept it as YES. and role owner was able to approve the request without mitigating means its now back to operation how it was working before Thanks, but we want to achieve something else like risk mitigation should be done at risk mitigation stage and the request should pass or complete with getting mitigated, as part of that solution suggested by SAP we removed the request mitigation policy from SPRO, please suggest if you have any better suggestion to force mitigation at risk mitigation stage and not allow them to approve until the request is mitigated.

Show replies
Show replies
madhusap
Active Contributor
‎2019 Jun 04 9:52 AM
0 Likes

Hi Sudhakar,

Can i understand your workflow process flow?

Following is my approach: (May not work with all clients but so far I am able to make clients agree for this approach)

I will usually design my workflows in a way that they will go to risk reviewers or compliance team for review before they get routed to Managers or Role Owners. I will make compliance team as the people who review the risk violations and provide their recommendations together with assignment of mitigating controls. If there are HIGH or CRITICAL risks which are not allowed for end users then the request should be REJECTED by compliance team.

Now Managers or Role Owners will approve the assignments access as well as proposed mitigating control assignments by compliance team as these MC assignments will not get assigned to user until the request is completed and for request completion Managers and Role Owners need to provide their approval.

This way first stage will be compliance team or Risk Reviewers who must take some action on risks and other approvers have the capability to approve/reject assignments.

Regards,

Madhu

former_member458446
Explorer
‎2019 Jun 04 2:13 AM
0 Likes

Thanks Sri, when I unchecked/checked the despite risk message, I generated the version, but no luck

Show replies
Show replies
Sri_S1
Active Participant
‎2019 Jun 03 9:06 PM
0 Likes

Sudhakar,

Please try by generating a new MSMP version and see if it works?

Thanks,

Sri.

Show replies
Show replies
former_member458446
Explorer
‎2019 Jun 03 8:55 PM
0 Likes

GRCFND_A V110000 22 I dont see any error messages in SLG1, yes 1071,72 and 73 are YES and EUP i dont think its related with this

Show replies
Show replies
RameshVithanala
Active Participant
‎2019 Jun 03 8:41 PM
0 Likes

Sudhakar,

Did you check DEBUG Monitor,SLG1 logs,Any configuration/parameter/MSMP/EUP changed in your development system and also share your GRC version and SP level.

Thanks

Ramesh

Show replies
Show replies
Ask a Question