cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Actions maintain in Mitigation Control ID Report Tab

Go to solution
Former Member

on ‎01-22-2014 4:41 PM

0 Kudos

Dear GRC Team,

I am looking for help..!!!

I am Creating Mitigation Control ID for Risk ID F001.

In Report Tab,Need to Maintain - System,Action,Monitor ID and Frequency.

Here my query is ,Under action tab - what Actions have to maintain.

Why i am asking is F001 is contain GL01 & GL02 Function ID's.

Each Functions having More than 50 T-Codes. In this case do i need to maintain total 100 T-Codes?

Could you please help me to create Mitigation Control ID.

System Details: GRC AC 10.0 & SP-12

Regards,

Rupesh.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

madhusap
Active Contributor
‎01-23-2014 2:04 AM
0 Kudos

Hi Rupesh,

Access Controls is used as a documental tool for Mitigating Controls, rather than an implementing tool, i.e. you apply the control against the role/user, but the actual application of the control is performed outside of Access Control. This may be realized by running a custom SAP report to monitor the usage of the risky functions within the ECC system etc.

Action is for the t-code of the SAP Report. A brief explanation below will help in understanding

If you have a mitigation control that Mr. Z will run X report using Y t-code on a frequent basis of monthly or quarterly and reviews the report.

Then you need to give that Report name- X, in Action - Y T-code and frequency as Monthly/Quarterly. This helps for the system to check if the t-code has been executed or not in that frequency by the Monitor and generates an Alert [based on alert generation configuration]. If the monitor doesn't execute the action in backend in the set frequency, we will find an alert in Alert monitor- control monitoring, but if the monitor executes the action we will NOT get alert.

The role of Monitor is to see whether everything that was risky from the access being mitigated is fine or not. That is, he/she would see to it that the user who has been given extra excess or conflicting access has not mis-used it. Every Mitigation control, for this purpose has a Monitor attached to it who does this job


Action - This is some tcode a monitor has to execute in backend to see that reports.

  1. E.g. if someone is doing check payment entry(risk), and mitigation is done for a user/role, there must be a tcode where we can check what payments are made( sorry I am not well versed in FI Tcodes) , this tcode will be put in action tab and monitor will have to check it via that particular tcode.

Frequency is simply what the period you want to set within which a monitor must perform this activity - say one week or one month.

If a monitor doesn’t execute that action/tcode within that time, an alert will be generated and mail will be triggered to mitigation approver (indicating that supposed task is not being performed).

For creating Mitigation controls in GRC 10.0, please check below blog post.

Regards,

Madhu.

Show replies
Show replies
Former Member
‎01-23-2014 11:07 PM
0 Kudos

Hi Madhu,

Thanks a lot....... It is a great help to me....I appreciate your effort.

Here i have two doubts as below

1.  Do we need to create Organization Hierarchy in each environment (DEV,QAS,PRD) or is it      Transportable...? why because when i was create in Organization Hierarchy in SPRO,

     it was not ask any TR.

2.  How can we get these reports to maintain under ACTION Field, do we have any standard Reports for      each Risk ID. If yes - Could you please provide me.

.

Regards,

Rupesh.

Answers (0)

Ask a Question