cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Requestor should not start / approve the risk control assignment workflow for own user

Go to solution
former_member225180
Participant

on ‎02-03-2015 4:44 PM

0 Kudos

Dear Experts,

the user who create access requests should be not allowed to approve/submit own request from their GRC Work Inbox.

I have used Alessandro Banzer excellent handling document which I have found here.

http://scn.sap.com/docs/DOC-55401

It works very well...with one exception.

We have problem with the risk control assignment workflow, which will be started in the Work Inbox of the requestor.

After the initial creation of the AR by the requestor, GRC runs an automatic risk analysis.

The requestor will see the result in the GRC Work Inbox. (also for the own user requests)

If an risk is identified, a risk mitigation is necessary.

At the moment, the requestor can start the risk mitigation / control assignment inside of the AR for his own user.

If the request is for the own user, it should not be allowed the the requestor can press the button "Mitigate Risk" OR

- on the following screen - press the button "Submit" without getting the message "You are not allowed to approve your own request"

The requestor should not be allowed to start the risk mitigation workflow for the own user.

Does someone know how handle this?

Thank you in advance!

BR

Melanie

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

madhusap
Active Contributor
‎02-10-2015 5:31 AM
0 Kudos

Hi Melanie,

As @Alessandro already highlighted the product limitation in achieving the functionality you are looking far, I will give you the details on how we are using this functionality:

1. User or Requestor running risk analysis is mandatory during Access request creation.

2. MEDIUM risks should be mitigated before request submission. We have enhancement in place to auto assign mitigation controls for MEDIUM risks (Predefined in system based on our ruleset) and HIGH risks cannot be mitigated

In your scenario, I assume you can enable parameter to "Run risk analysis in background during request submission and based on risks approver at first stage can submit MC assignment workflow.

Basically there is one more limitation in MC assignment workflow as there will be no relation between Access request and MC assignment workflow request and it was difficult for MC assignment approvers to relate to which Access request they are approving those for.

In your scenario assume that requestor submitted MC assignment workflow and then didn't SUBMIT the request or cancelled the request, still MC owner can approve MC assignment request. So, doing mitigation at approver stage will have advantage and however there are some product limitations which can be submitted in ideas place.

Regards,

Madhu.

Show replies
Show replies

Answers (2)

Answers (2)

former_member193066
Active Contributor
‎02-04-2015 9:32 AM
0 Kudos

Hello,

first of all all you requester  going to use end user link.

a guest account is associated, remove this authorization from guest account .

you should be good.

Regards,

Prasant

Show replies
Show replies
alessandr0
Active Contributor
‎02-03-2015 9:15 PM
0 Kudos

Dear Melanie,

what is your current release and SP level? I have shortly tested your case but I am unable to click "Submit" on the mitigation screen as I have only Save and Cancle buttons available. Hence I cannot approve my own request.

Let me know.

Regards,

Alessandro

Show replies
Show replies
former_member225180
Participant
‎02-03-2015 10:34 PM
0 Kudos

Hi Alessandro,

we are on GRC 10.0, SP15.

Hope you can help :-).

BR

Melanie

alessandr0
Active Contributor
‎02-04-2015 7:25 AM
0 Kudos

Melanie,

probably I had mixed it up.. you are using control assignment workflow (SAP_GRAC_CONTROL_ASGN and parameter 1062 is set to YES), aren't you? In that case you have the "Submit" button available on the mitigation screen in the access request. What are you going to submit is the control assignment workflow and not the access request. The access request is still pending for approval and you are not allowed to approve your own request.

As far as I know there is standard functionality availabe to avoid mitigation for own user. Anyways, give me some time to check the possibilities we have.

Regards,

Alessandro

former_member225180
Participant
‎02-04-2015 9:31 AM
0 Kudos

Hi Alessandro,

yes,

- we are using SAP_GRAC_CONTROL_ASGN with pararmeter 1062 = YES.

- the "Submit" button is the control assignment workflow. Only the button "Mitigate Risk" ins in the access request.

Would be great if you have a solution!

BR

Melanie


alessandr0
Active Contributor
‎02-09-2015 7:03 PM
0 Kudos

Hi Melanie,

I have tested your scenario and the system behaviour is correct from my point of view. By clicking "Submit" on the mitigation screen you are going to submit a new workflow (mitigation control assignment workflow as customized in 1062) for the assignment of a mitigation control. The access requests itself is still pending for your approval and as the approval is pending for your own user you are not allowed to approve the access request.

The assignment of the mitigation control workflow must be approved by the mitigation control monitor and hence is handled in a new workflow and has nothing to do with the access request.

Conculusion: from my point of view it is correct that an end user is allowed to submit a new workflow for control assignment. The access request is not approved and is still pending for approval.

In my eyes with the standard configuration you have the 4-eyes-principle in place and hence it should be okay from compliance point of view.

I have also tried to avoid the submission of the assignment workflow for the own user. Unfortunately, this is not possible in the standard. Also there is no default configuration available that the mitigation monitor is not allowed to approve requests for his own user. Hence this functionality is missing. It might be a good idea to place this requirement in the idea portal.

Sorry for not having a better solution at the moment. Hope my answers help you at least to understand the SAP standard.

Let me know if you need more details.

Best regards,

Alessandro

former_member225180
Participant
‎02-10-2015 9:06 AM
0 Kudos

Hi Alessandro,

thank you for your help!

I have added it to the sap idea place.

BR

Melanie

alessandr0
Active Contributor
‎02-10-2015 9:14 AM
0 Kudos

Thanks a lot - please also close this thread.

Cheers,

Alessandro

former_member225180
Participant
‎02-11-2015 5:45 PM
0 Kudos

Hi Alessandro,

I have opend a ticket at the SAP Support additionally.

They told me set a parameter 1014 "Enable separate authorization check for Mitigation from Access Request" (parameter group 02 Mititgation) in the access control configuration settings.

Unfortunately the parameter is not available.

Do you now a possibility to add and activate the parameter?

BR

Melanie

alessandr0
Active Contributor
‎02-11-2015 6:22 PM
0 Kudos

Hi Melanie,

regarding parameter 1014 refer to: http://service.sap.com/sap/support/notes/1996151

But I am not sure if this helps... give me some time to test.

Regards,

Alessandro

Ask a Question