Creating Mitigating Control at Rule Level vs Role & User Level Analysis
Hello GRC Gurus,
We are on GRC V10.1 & SP9,I think the following question will be applicable to all GRC version irrespective of the SP Level.
We Created a Mitigation Control for the Risk S020 and Rule 0019 & 0018 as per the SAP Standard Note
1600667 : Transaction that conflict with themselves
and we have not assigned the mitigating control at user level or role level.
The question I have here is when there is a mitigating control for risk S020 and Rule 0018 & 0019,why they are not populating at user level or role level risk analysis.The Risk and Rule are common irrespective if we run risk analysis at User level or Role Level. I think it should populate the mitigation control if there is one? If not I can assign one.
I agree if we mitigate at user level or role level, I am able to see the Mitigation Control at user level or role level risk analysis.
I hope I am not confusing anyone, can you please let me know if any one thought of this or its a SAP standard behavior.