cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP GRC 10.0 Access request submission - Risk analysis need to exclude medium risk

Former Member

on ‎08-14-2013 2:59 PM

0 Kudos

Hi GRC Experts,

We need to exclude any medium risk while running risk analysis on the access request form and consider only High risk. So we can mitigate only the High risk and can ignore the medium risk. Appreciate for an quick response. Attached screenshot to explain this.

System details:

--------------------

SAP GRC 10.0

GRCFND_A V1000 Version:0011

Configuration details:

---------------------------

1024 - Default risk level for risk analysis - 1 (HIGH)

1071 - Enable risk analysis on form submission - YES

1072 - Mitigation of critical risk required before approving the request - YES

Regards,

Feros.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎08-14-2013 4:49 PM
0 Kudos

Hi Feros,

You have to use Mitigation control policy BRF+ rule to have this functionality.

You can find in built mitigation control policy rule id in SPRO where you can also find user default and HR trigger rules.

Copy the rule Id and execute BRF+ tcode, search your for the Mitigation policy rule Id.. Edit the rule Id and change it to function and event mode.

And line item there as

if risk level is medium or low, approver can approve the request even without mitigation

if risk level if high,approver can't approve the request and mitigation is  needed.

There is also some docs available for mitigation policy in SCN.

Try searching on "Mitigation Policy", i am sure you will get a SAP docs for the same.

Regards,

Amit

Show replies
Show replies
Former Member
‎08-14-2013 8:15 PM
0 Kudos

Hi Amit,


Thanks for your suggestion, I can not see built in mitigation control policy ID under Maintain AC Applications and BRFplus Function Mapping using SPRO.I am not sure this might have deleted. How can I import the function if this is missing? I can see function name called MIT_POLICY_FUNC under application GRAC_MIT_POLICY_APP, is that you are referring to,

I can not search any document related to Mitigation policy in SCN, can you share the link if you have it.


Regards,

Feros

Former Member
‎08-15-2013 8:48 AM
0 Kudos

Hi Feros,

Yes this is the same mitigation control policy I am referring. The rule ID for the mitigation is:

80E0ED08B0561DEFA4FCEAD405569CF3

If it is not visible under SPRO ->GRC Access Control -> Maintain AC applications and BRFPlus Function Mapping and you can see the same rule Id in BRF+ then you can add an entry as shown in fig "BRF+ Mapping.jpg"


Once this has been added, edit the BRF+ function id into t-code BRF+.

Do not forget to change the event mode into function and event mode as shown below:

then create a top expression as "Decision table" as shown below:

risk level 2 (high) is linked to MIT Policy 2 means mitigation is needed for high risk, other risk level are linked to MIT Policy 1 which mean these risk can be ignored and request can be approved.

Save and activate the function and applications.

you are done.

Thanks Amit



Former Member
‎08-19-2013 5:39 PM
0 Kudos

Hi Amit,

Thanks for your detailed explanation.

I have tried this and having some issues, it would be great if you could check and reply.

1) The BRF+ ID 80E0ED08B0561DEFA4FCEAD405569CF3 seems to be missing in Dev and QA but available in GRC production, I tried to download the function and Application using XML export and can not export and import to development.

2) I tried to use different applicaiton and function - 005056834A871EE381D3EFF451A66AF3 using available mitigation policy and have created custom brf+ function in development system and configured as below(Note: All the configuration for this function are inline with the sap standard function which you have provided),

I tried to raise a request and can approve all the risk and not displaying message to approve high risks. (Note:MSMP task settings configuation - Approve despite risk is set to disabled) so it should display message to mitigate high risk only and not other risks as per the mitigation policy which was created.

Regards,

Feros

Former Member
‎05-14-2014 11:43 PM
0 Kudos

Hi ALL,

Please suggest..

Thanks,

sriram

former_member204204
Active Participant
‎05-15-2014 4:37 AM
0 Kudos

HI,

You need to delete the Application rule id from the BRF Plus Function Mapping.

Please check the SAP Note 1667440.

Regards,

Neeraj Agarwal

Ask a Question