cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to create a control id?

Go to solution
Former Member

on ‎10-22-2012 4:35 PM

0 Kudos

Hi Experts,

We´re trying to start using the mitigating controls for those users who have conflicts that have been already mitigated.

I´ve created a test user in our Sandbox environment (the profile of this user includes some transactions that are already included in one or more conflicts)
for creating a mitigating control. These are the steps I followed (I don´t know it helps or not, but we usually work in NWBC):

1. We run a "User Level" only for this test user.

2. I´ve selected the user, then I pushed the button "Mitigate Risk".

3. I´ve pushed "Create control" (there´s no controls created yet)

4. When I tried to create the control Id, I was able to fill the fields "Mitigation Control Id"  and "Name" (mandatory fields). The problem is that when I´ve tried to complete the field "Organization", I looked for all the options avaible for that field, but it was empty: (below, the screenshot)

I had assumed that the info was uploaded from the environment where the test user had been created.

(The test user was created in a Finance sandbox environment, which is connected to our GRC Sandbox env)

Could you please help me with this issue?

Thank you very much in advance!!

Regards,

Sebastian.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

FilipGRC
Contributor
‎10-22-2012 7:05 PM
0 Kudos

Sebastian,

In order to use mittigation control – you need to follow below procedure

  1. Logon to NWBC with user ID
  2. Choose Setup -> Mitigating Controls work set -> Mitigating Controls .
  3. Create a Mitigating Control with the following information:
  4. Choose the Access Risks tab to enter a Risk ID.
  5. Choose the Owners tab to enter a User ID for the Owner and Monitor.
  6. Choose the Reports tab to set up mitigation reports.
  7. Choose the Attachments and Links tab to add a link
  8. Save.

To select Owner/Monitor you need to first assign this roles to user ID

  1. Choose Access Management Access Control Owners.
  2. Choose Create.
  3. Specirfy the user and select the relevant check boxes.
  4. Enter comments.

There is also some setup Required on SPRO side, not sure if you have done it - within the IMG, select whether an organization view is used for AC, PC, RM, or shared between all components.

  1. Execute Transaction SPRO SAP Reference IMG Governance, Risk and Compliance Shared Master Data Settings Maintain Organization Views.
  2. Choose Maintain Organization Views Configuration.
  3. Choose New Entries to add a view.
  4. When creating more entries with the same name, but different application component, specify for which of the components the hierarchy should be used.

To check it go to the View the Organization Hierarchy

  1. From the NWBC, choose the Setup work center.
  2. Choose the Organizations work set.
  3. Expand the organization hierarchy to view sub-organizations.

Hope this helps,

Filip

Show replies
Show replies
FilipGRC
Contributor
‎10-24-2012 3:39 PM
0 Kudos

Sebastian,

was my anwser help ful? Does it solve your inquire?

Rgds,

Filip

Answers (1)

Answers (1)

Former Member
‎10-24-2012 10:04 PM
0 Kudos

Hi Filip,

First of all, I´d like to say thanks for your help.


On the other hand I think we have some kind of issue in our configuration. I executed SPRO and found all the path you have mentioned. I chose "Mantain Org Views" and I saw that there were some lines created, so I went back to "Organizations" work set, just for checking if they were there, but it was empty.
I´m assuming that those "Org Views ID" should be shown at "Organizations" work set, right?


In case they shouldn´t, when I click on "new entries" (back at the "Maintain Organizations Views"), all the info shown, disappear. My question is: Does this action overwrite the data uploaded before?.

Last question... The terms "GRC - AC" / "GRC - PC" / "GRC - RM" are not familiar for me, could you please tell me what do they mean?

Thanks you very much for all your help!

Regards,

Seba.

Below, the screenshots. (They will help me to make my explanation clearer).

Show replies
Show replies
Former Member
‎10-24-2012 10:19 PM
0 Kudos

Please be aware that in GRC 10, Access Contro (AC)l, Process Control (PC), and Risk Management (RM) are all loaded with the same software package and share certain master data, such as organization, process, control, risk, and others.  I wouldn't worry a great deal about the "views".  In most cases you will be using the Standard View, 002.  You can create alternate views, if necessary, to look at organization hierarchies from a particular viewpoint, e.g. a Risk Managament-only view of organizations.  You can load organizations with the MDUG or CLM tools.  Alternatively you can create them in the NWBC or portal.  If you are creating organizations manually, you usually have to setup the root (top node) organization and one level below that in the IMG.  There is an IMG step for that.  Once the top/parent node and one child node are setup, you can add the rest of the hierarchy. 

Because Process Control and Access Control are integrated, the mitigating controls that are setup for Access Control can be linke to the controls setup in Process Control (at the local level).  If you have setup an access mitigating control and linked it to a control assigned to an organization, the testing or continuous monitoring available in Process Control provide assurance that the mitigating control is effective. 

FilipGRC
Contributor
‎10-25-2012 7:57 AM
0 Kudos

Sebastian,

hope our answers were useful to you, if so mark them as helpful / correct answers accordingly.

If you have more questions or need more information - let us know,

Filip

Ask a Question