Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP GRC Access Control: Suggestion for Mitigating Control Naming Convention

reza_ahoui2
Participant

on ‎2020 Jul 14 6:17 PM

0 Likes
993

Hi

Mitigating control ID has 10 character limit. Any suggestion for naming convention for mitigating control ID (and its name) would be much appreciated.

Thanks

Reza Ahoui

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (2)

Answers (2)

reza_ahoui2
Participant
‎2020 Jul 21 8:35 AM

Hi Marcelo and Pau

Many thanks for your answers and contributions.

I liked the suggestion by Marcelo for having numeric suffix at the end as this would add more flexibility when all the scenarios are not thought of at the beginning of the project. I also agree with Pau that it would be much useful to use all the 10 characters to convey as much as information possible.

I saw another post for the same subject:

https://answers.sap.com/questions/12123208/best-practice-for-mit-control-naming-convention.html

At the moment we are handling access control risks in SAP roles and I thought one way of naming the mitigating controls would be something like this:

Mitigation Control ID: <Access Risk ID>_<Stream Code><numeric suffix>

For example, if we have a custom risk for critical actions within retail master data business process (ZRMD1) and would like to mitigate such risk in some of the finance (FIN) roles the mitigating control would be ZRMD1_FIN1.

Thanks

Reza Ahoui

Show replies
Show replies
Monsores
Active Participant
‎2020 Jul 18 6:33 PM
0 Likes

Hi Reza.

I think that the Mitigating Controls naming pattern depend a bit on your mitigation strategy.

If you have one control per risk, for example, they can be named as MIT_ followed by the Risk ID.

If you have more than one you can add a numeric sufix to this pattern (depending on the size of your risk IDs).

Regards,

Marcelo Monsores

Show replies
Show replies
pau_torregrosa
Participant
‎2020 Jul 20 9:05 AM
0 Likes

Hi,

A couple of thoughts come to mind with this naming convention, I'm opening a debate :):

- What is the use of spending 3 of 10 characters (MIT_) in something that we already know? I mean, all Mitigation Controls will have "MIT_" because there is only one type of Mitigation Control you can put in the system, is not like roles where we have single, derived or composite, and you might need a character to differiencate them at first sight. If we have limited characters, let's use them in providing relevant information to the user. Maaybe if you want to differenciate between preventive or detective Controls you might want to use a character for that.

- I would say that Mitigation Controls are more oriented to control Functions instead of Risks, right? For instance, you might have many risks where GL Journal Entry creation is involved, and one of your Controls might be reviewing somehow all JE from last month. That control will apply to all the Risks where GL JE exists. That why I would use Functions ID in the name of the control, instead of Risk IDs.

I think the naming convention should try to provide the most information possible, so I would use the sub-Business Process, and a short abreviation of the description, for instance: GL-JE_REV

Thoughts?

Regards,

Pau

Monsores
Active Participant
‎2020 Jul 20 4:46 PM

Hi Pau.

I like the MIT_ prefix because it brings more visual clarity regarding the mitigation controls. Users feedback has been positive in general because the purpose of that ID quickly comes to their mind when they see it among other IDs like Risks and Functions. And since I have never needed to use 10 characters for Control IDs, I was able to "throw them away" with this prefix instead of doing this by leaving them empty.

In the scenarios with which I dealt, Controls could not be Function oriented. (except, of course, for Critical Action Risks, when these concepts overlap). They had to be aimed at Risks or even at Rules, and two combinations of the same Function could result in totally different controls. To be honest with you, I don't see an easy way to orient Controls to Functions because it sounds conflicting in the case of SoD risks for which you have 2 or 3 functions.

In the end, what we can see here is what I said at the beginning. The naming convention of the Controls will be closely linked to the Mitigation strategy, which on its turn must be focused on business needs, which in our case seems to be very different.

Regards,

Marcelo Monsores

Ask a Question