cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Mitigation Control at Role Level/user level

mamoonr
Active Participant

on ‎2013 Nov 19 7:11 AM

0 Kudos
559

Hi ,

I created a Business Role in SAP GRC 10.0 mapped with couple of single roles from different systems.

I have done the role level risk analysis for the buiness role and assigned the Mitigation control for the Risk IDs generated.

when this business role is assigned to the user through  access request,mitigation control that is assigned to the Business Role, is assigned to the user or not?

Steps performed
End user select the business role and submit the request
Request triggers the Role owner
When the Role owner opens the request and done the risk analysis for the business role the Mitgated risk id are still showing.
But I have already assigned the mitigation control for the risk ids of the role.

I want to know if mitigation done at role(business) level is also reflected in user level.

#User is a new  and has not been provisioned yet.


Thanks,
Mamoon

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎2013 Dec 10 7:26 PM
0 Kudos

Hi Mamoon,

Did you get any conclusion about it?

We have the same scenario in one of our clients, Business Roles with N single roles.

The client has the expectation that, once the Business Role is mitigated, there is no reason to mitigate the risk in user level when is requested accecc to this Business Role.

Thanks,

Felipe Barros

Show replies
Show replies
mamoonr
Active Participant
‎2013 Dec 11 1:48 AM
0 Kudos

Hi Felipe,

Even business roles are mitigated, the user still has risk showing up when access request is created with that business role.User is a new and do not has any other role.

But mitigation is somewhat automated , means in access request if many risks come up you go for mass mitigation .You donot need to select mitigation control.It takes itself.You just need to make OK.

Thanks,
Mamoon

Former Member
‎2013 Dec 11 2:01 PM
0 Kudos

Hi Mammoon,

In our scenario the user will have only access to one Business Role. So, he can request access to Business Role, not for single roles.

Our idea is that once we create the Business Role, and there are known mitigated risks, when a new user request access to this BR, the risks appear as "Reduced/Mitigated", once that user has only the risks originated from that BR.

Is there anyway to do that?

Thanks.

Regards,

Felipe Barros

mamoonr
Active Participant
‎2013 Dec 12 1:34 AM
0 Kudos

Hi Felipe,

Even I am struggling to get that.We are also using business role as position and BR are mitigated. But when assigned to user( having no existing roles)  it shows risk.

We again go for mitigation at user level by BR owner.Please let me know if you get any solution for this.


Thanks,

Mamoon

Ask a Question
Top Q&A Solution Author
View all