cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Mitigating control not removed when user is deleted

Former Member

on ‎06-26-2013 3:09 PM

0 Kudos

Seems that when you delete a user (workflow) if that user has a mitigating control, the control is NOT removed.  Ran a user sync to see if that would catch it, but it did not.  Is this a bug? Or by design?  If a bug, then when will it get fixed.  If by design, then I would have to create a BRF+ rule and workflow to remove the control.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎07-17-2013 1:35 PM
0 Kudos

SAP contacted me 7/17/2013 with a fix for the issue.  Note 1873361, issued 7/17/2013, has corrected code to fix this issue as well as performance issues. The mitigation assignments for the deleted user will be removed at the next user sync.

Show replies
Show replies
Colleen
Advisor
Advisor
‎07-02-2013 6:03 AM
0 Kudos

Hi Jack

I don't recall the process removing the control

However, I wonder if this is deliberate. If you have a set mitigating control review period the review piece may fall after the user no longer has the access. However, if you remove the assignment you may miss the chance to review some of their actions for the time they had it.

As you suggested, you might need to build a routing rule for the lock or deletion scenarios to trigger a notification or do something to deal with this event (and remove the invalid mitigating control assignments).

Show replies
Show replies
Former Member
‎07-03-2013 2:25 PM
0 Kudos

While waiting for SAP to answer, I came up with a rule in BRF+ that does a db lookup on the GRACMITUSER table checking the (to be) deleted user for mitigation assignments. If found, then Security is notified (approval step so they can look at the user data) and an email sent (see note 1614574 for how to have different emails for different scenarios/receivers) that outlines the steps to take in NWBC to inactivate and expire the control in question. So far that's the best I can do...the best solution, as I see it, would be for SAP to modify the delete user code to do the same thing, only without the approval/manual step. 

former_member208271
Participant
‎07-01-2013 2:14 PM
0 Kudos

Hi Jack

I agree with you on this.

Even if the user's Risk has been remediated (no longer has the Risk, Role Removed). The user is still mitigated.

There should be some sort of Sync Job to check this.

Hope to get a solution on this.

Regards

Mustafa

Show replies
Show replies
Former Member
‎07-01-2013 6:18 PM
0 Kudos

I started an OSS message 5 days ago with SAP support...no word yet.  I'll post the response as soon as I get one!

Ask a Question