- SAP Community
- Products and Technology
- Additional Q&A
- Mitigation at Role Level doubt
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Mitigation at Role Level doubt
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 04-09-2015 3:30 PM
Dear all.
I am considering the two following scenarios Mitigate at User level or Role level. What are the features, benefits and disadvantatges for each of them?
I am wondering two big questions which probably you have faced before for the mitigation at role level.
Question1: Role Mitigation scope. Let me explain with this example:
- Role A contain risk 1
- Role B contain risk 1
- Role A is mitigated with the mitigation control MITCON1 (which only mitigates risk 1)
- I assign Role A to User A
- If i do a SOD analysis for User A there is no risk because it is mitigated at role level
- Now, i assign Role B to User A
- What happen if i do a SOD analysis for User A? Ths risk 1 appears into the SOD Analysis?
Question2: Role Mitigation level during User Provisioning. Let me explain with this example:
- Role A contain risk 1
- Role A is mitigated with the mitigation control MITCON1 (which only mitigates risk 1)
- I assign Role A to User A
- Will see the Manager approval the risk 1 at Risk Analysis tab during the User provisioning?
Kind regards and thank you.
Sara.
Accepted Solutions (1)
Accepted Solutions (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Sara:
In role mitigation, once you have the role, then you are mitigated for the associated Risk, no matter how many roles or combination of roles that it may exist in. In your question 1, line 7, The risk analysis will show that the risk is mitigated or not show at all depending upon your configuration.
In your question 2, I believe that if you set the default as 'show mitigated risks', then it should show, if not then no risks should appear. I have not tested that before as I VERY RARELY ever use or recommend role mitigation.
The other item that would need to be considered is if you need to know exactly who is covered by the mitigation. This cannot be found in GRC, but needs to be extracted from the target system that the role is in and over the entire reporting period.
Hope this helps.
Kevin Tucholke
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Kevin.
Many thanks for your reply.
Regarding your response for question 1, i consider this is something already tested or you have tested this escenario, rigth? I am facing an error with param 1033 and i cannot proceed with the proper testing.
I have also see the following link where an issue and a possible enhacement is raised
Role Level Mitigation enhancement : View Idea
The problem raised cannot be solved by indicating which exactly rule do you want to mitigate?
Kind regards and thank you.
Sara.
Answers (0)
- What’s New in SAP Analytics Cloud Release 2024.08 in Technology Blogs by SAP
- SAP ECC Conversion to S/4HANA - Focus in CO-PA Costing-Based to Margin Analysis in Financial Management Blogs by SAP
- GRC Risk Management Series: Risk Analysis profile in Technology Blogs by Members
- Custom data as table, CDS, Domain, Business object and all that jazz... in Technology Blogs by SAP
- What’s New in SAP Analytics Cloud Release 2024.07 in Technology Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.