cancel
Showing results for 
Search instead for 
Did you mean: 

SAP GRC Access Control: Best Practise in Mitigating Risk When no longer a Risk in a Role

reza_ahoui2
Participant
0 Kudos
1,043

Hi

Example: transaction SU01 is designated as a critical transaction for authorisation (basis). Therefore one expects this transaction is only available to authorisation team through a dedicated role, and no other role must have it.

Rule set has a access risk as Authorisation Critical Action which includes function with SU01 transaction in it.

Question: when doing ARA for the authorisation team role it flags a critical action risk as it has SU01. Are we then be using mitigating risk option for this so it wont show up next time when doing ARA for the same role? If so, and since it is not a risk in this context, what sort of mitigation control should we create to cover this situation?

Thanks

Reza Ahoui

Accepted Solutions (1)

Accepted Solutions (1)

madhusap
Active Contributor
0 Kudos

Hi Reza,

There are multiple options on how you can handle this.

Option 1: Set this risk and mitigating control applicable for all users by updating User Mitigation table with User ID as "*" for the risk and mitigating control combination.

At the role level apply mitigating control with VALID TO as 31.12.9999 and your mitigating control definition can be a declaration by role owner.

I declare that I have read and carried out the mitigation actions.

Click on the mitigating control ID for the full details.

Access to User Maintenance transactions should be restricted to Security Team only.

*************************************

[1] Declaration by Role Owner

*************************************

I understand that User Maintenance transactions should be restricted to Security Team role "XXX ROLE NAME"

Option 2: Create a supplementary rule for this risk and in the rule exclude Security team and Security team role from this risk which means ARA will flag this violation for all Users and Roles except for Security Team.

Regards,

Madhu

reza_ahoui2
Participant
0 Kudos

Hi Madhu

I guess the question is if we go with option 2 for our case could we define a supplementary rule without user ID (a table without user ID)? This is because we are doing ARA against single role (and not users) and we want to exclude specific role from a specific risk.

Answers (1)

Answers (1)

reza_ahoui2
Participant
0 Kudos

Thanks Madhu, helpful as always