cancel
Showing results for 
Search instead for 
Did you mean: 

SAP GRC 5.3 RAR (SP 18) - Mitigated risks still show up in risk analysis

Former Member
0 Kudos

Hi all,

I'm having the following issue with SAP GRC AC 5.3 RAR (SP 18): I’m able to create mitigating controls, but they do not apply in my risk analysis => the mitigated risks still show up.

I think I have configured everything right. I have been searching the web & found a lot of posts with similar issues, but none of the solutions work for me.

  • A. I created my mitigated control & assigned it to Risk ID P001*
  • http://users.telenet.be/dunkelburg/SAP/01_01.JPG

  • B. I assigned an approver. I did not assign any mitigated users or roles (but even if I do, it still doesn’t work)
  • http://users.telenet.be/dunkelburg/SAP/01_02.JPG

  • C. I make sure that my configuration is correct + I did a full user & role sync
  • http://users.telenet.be/dunkelburg/SAP/01_03.JPG

    http://users.telenet.be/dunkelburg/SAP/01_04.JPG

    http://users.telenet.be/dunkelburg/SAP/01_05.JPG

    D. Whenever I perform a user or role analysis, I still have my P001 conflict showing up – even when I tell the system to exclude mitigated risks

    http://users.telenet.be/dunkelburg/SAP/01_06.JPG

    http://users.telenet.be/dunkelburg/SAP/01_07.JPG

    Any ideas, comments or thoughts would be nice

    Best regards,

    Tom

    Accepted Solutions (1)

    Accepted Solutions (1)

    Former Member
    0 Kudos

    Hello all,

    I found the solution to the issue.

    When adding a role to a risk, I just entered the role in the “Role Name text-field”.

    To make the mitigated risk work, I need to use the search functionality of the “Role Name text-field” to go & look for the role and then select it. Only then, it takes the risk into account.

    Thanks for your help

    Best regards,

    Tom

    Answers (4)

    Answers (4)

    Former Member
    0 Kudos

    Hi Lanssens,

    First of all you need to Assign the Uesr/ Role to the Mitigation Control if you want to check that in the Risk analysis.

    Once that Role is assigned to the Mitigation Control then that Risk ID will be considered as a Mitigated risk ID.

    Regards

    Shaily

    Former Member
    0 Kudos

    Hi Shaily,

    I have done this and it didn't work. But what I needed to do (cfr. my Answer below) was to select the role via the search function of the Role Name text field, instead of just entering the role directly.

    Best regards,

    Tom

    Former Member
    0 Kudos

    Hi Tom,

    Can you please make sure these users or roles exist in the RAR database.

    Kindly check for role or user in VIRSA_CC_GENOBJ table for the particular system.

    Best Regards,

    Smriti

    Former Member
    0 Kudos

    Hi Tom,

    Please review the sap note-1290057.

    Could you please check the below setting into your system.

    Logon to CUP ==> Go To Tab "Configuration" ==> Click on "Risk Analysis"
    ==> Check the Checkbox "Consider Mitigation Controls".
    Checkbox should be checked to consider mitigation.

    Best Regards,

    Nandita

    Former Member
    0 Kudos

    Hi Tom,

    Kindly refer to below thread for this same issue:-

    http://scn.sap.com/thread/1515852

    Best Regards,

    Akhil Chopra

    Former Member
    0 Kudos

    Hello Akhil,

    Thanks for the reference, but this was not the issue. I have seen that thread & already added the * to my risk id. Cfr. my screenshots.

    I have found the solution however, will post it here as well.