Dear Naveen,

Thanks for your prompt response.

I had defined the mitigating control after getting the risk violation and attached it one role and one user.

Now when I run the Risk Analysis Report in Informer for a role level or user level - I expect this mitigating control displayed under the column meant for the same against the role and user which is attached through mitigation. However mitigating control is not displayed.

Can you guide me on this?

Thanks and regards,

Anjali

have you associated that mitigating control to the risk you are trying to mitgate? when you create a mitigating control you associate it with a risk. so you have to be sure the users you are running the report against have failed with the mitigated risk to see it in the report

Hi David,

Thanks for your reply.

I have associated the mitigating control to the risk and further attached one user and a role through 'Mitigate User' and 'Mitigate Role' button.

Regards,

Anjali

Anjali, when u created the mitigation control and specify the risk, what is the riskID u entered in the risk ID field? please show use the exact value which you have keyed in for the riskID.

Simitaichi,

Thanks for your response.

I have given exact risk id for the mitigating control. Further the role and user have also been attached properly.

However I see the same report irrespective of the value for 'Exclude Mitigating Controls' and without mitigating control in the User or Role Analysis report.

Is there anything more to be done?

Anjali

Hi Anjali, please ensure that when u assign the controls to the Risk... the Risk ID specified in the mitigating controls should be X* , where X is the riskID.

So, if risk is R001, then the RiskID for the control you must specify as R001*.

Hi Simitaichi,

Yes, I have specified exact risk id. Actually I tried this for one more mitigating control and risk id. However it is still not working.

Regards,

Anjali

Hi Anjali, you specified only the specific riskID? Is there an '*' appended at the end ?

you mentioned you have mitigated 1 user and 1 role for that control.

In that case it should work. Check the validity period of the user assignment?

Also, you may want to put '*' instead of the userID. This means that whichever user who has that risk will be mitigated automatically.

Hi Simitaichi,

Thanks a lot for your response. I got the expected results.

Sorry, I missed the * in your previous reply. Thanks once again for brining that to my notice.

Regards,

Anjali

Glad to be of help! I have the same pain when creating controls initially until i realised i had to include the *.. The meaning of the * is so that it covers all rules associated with the risk. Without the *, it will not work.

Cheers!!

Hi Simitaichi,

I'm from SAP Basis team. One HR analyst complained about a similar problem. She is unable to get "Mitigating Control" column in the report, when she ran the Risk Analysis -> User Level for HR mitigating control

While creating the Mitigation Control, I'm unable to append the "*" for Risk Id. It's throwing the following error :

Exception!!. No relavent language message available in database for :0055

Note:- Under Risk Analysis -> User Level the "Ignore Mitigation" is set to "NO"

In Configuration tab- Risk Analysis -- Exclude Mitigated Risks is also set to "NO"

Can anyone please help in this regard?