Skip to Content
Technical Articles

SAP GRC 10.0/10.1/12.0 – Creation of Mitigation Controls

  1. Before creating mitigating controls you need to create a Root Org entry, this replaces the Business Units in previous AC versions. Navigate to the IMG under Shared Master Data Settings and create a Root Org as shown below:

    2. You will need to:

  • Create User in SU01 master in GRC.
  • Run the user sync jobs in GRC.
  • NWBC – Access Management – Access Control Owners – Create an entry and select owner type as Mitigation Monitor or Mitigation Approver


  • NWBC- Master Data – Organization – Assign user in Owner tab. After assigning the user to the organization then user can be maintained as Mitigation Approver/Monitor during Mitigation Control creation workflow.


3. Now create mitigation control from NWBC -> Setup -> Mitigation Controls -> Create


In SP13, when we are adding actions in the reports tab, an error message pop-up as shown below.

Without the report the mitigation saves without issue. I am also adding the Action value by clicking F4, searching and then adding it. To resolve this implement SAP Note: 1902129 – Unable to save Mitigation control after adding AC Report

Mitigation Monitor: Mitigation monitor is the one who would be checking whether mitigation is being performed. This monitoring can be done either manually or alerts can be sent to the monitor. “Reports” which are maintained in reports tab of mitigating control, will trigger an e-mail to the Mitigation approver if control monitor does not run that report with in the frequency mentioned.

Alerts can be set through the program mentioned below by executing the Tcode GRAC_ALERT_GENERATE.



Mitigation Approver: Mitigation Approvers are assigned to controls and are responsible for approving changes to the control definition and assignments when workflow is enabled. In GRC 10.0 we have predefined workflow for this. We need to maintain the below configuration settings in SPRO.

Below mentioned standard workflows needs to be enabled.

Issues with Deletion of Mitigation Controls or MC assignments:


When deleting Mitigation Controls or Mitigation control assignments, we used to a get a message task executed but deletion was not happening. After implementing the steps mentioned below issue was resolved.


1.Run transaction SM30

2. Display the view GRFNPARENT in change mode

3. Add new line

4. Entity = SUBPROCESS

5. Parent = ORGUNIT


Mitigation Control Assignment Workflow


In GRC we have standard SAP provided workflow for Mitigation control assignment. I have come across few queries w.r.t this workflow as the mitigation assignment approver is not able to view the details as the “VIEW DETAILS” button is greyed out as shown in below screen.

Transport Organizational Units & Mitigation Controls

There is no Transport Mechanism to move the Business Units/Organizational Units & Mitigation Controls
from one Landscape to another Landscape in GRC Suite, because it is Master Data.

There is no Download & Upload functionality available for these Controls to move from one Landscape
to another.  Organizational Units & Mitigation Controls are tied together as these are shared among
GRC Access Controls & Process Controls.

You need to recreate it in Destination Environment as Transport/Movement is not possible.

When you create the Organizational Unit with the Description in GRC, the System will generate a
unique number for Organization Unit, which will be different for each system.  That was the
reason, we need to recreate Organizational Unit in each System.

But, Mitigating Control Assignments of User/Role/Profile/User Org/Role Org can downloaded from

one Landscape & can upload it to  another Landscape.

Most convenient way to change existing mitigations is to use standard ABAP program for download and upload.

Go to SA38 and use the following programs:



Once you have downloaded the full list into an Excel file you can do your adjustments and upload it again. Hope this would be helpful.

For understanding the Mitigation control life cycle, please go through the below blog by Alessandro for basic and process oriented understanding for Mitigation control Lifecycle


Mitigating Control Lifecycle


You must be Logged on to comment or reply to a post.
  • hi Madhu,


    thanks for sharing your view and its been very useful. But I got a doubt why the business process has been replaced by ORG unit if both serves the same purpose?




    • Hi Dhanu,


      Thanks for taking your time in going through the document.


      Its not business process. It is business unit in GRC 5.3 and now it has been changed as Organization. The main purpose of doing this is to allow sharing of mitigation controls between AC and PC using common org.hierarchy. Users can also maintain different views of org.structures depending on their needs which was missing with business unit concept.




    • Thanks Faisal. I am still updating it with any queries i come across so that it can be one stop for the people looking for help regarding Mitigation Controls in GRC 10.

  • Nice document. Thanks.

    Have you face a strange behavior of control change? Once a control is assigned to user, changing the monitor is more possible. Could you solve this problem?

  • very helpful document and good overview for migitation creation with prerequisites.

    addtional helpful woud be:

    a) Link to basic/official Mitigation Help

    b) Test description



  • Hi Rudolf,


    Thanks a lot for your feedback. I have recently come across a blog which helps you with basic mitigation understanding.


    Mitigating Control Lifecycle


    b. Test description ? I cannot understand about this. Can you be specific? If you want me to explain any example scenario from business point of view?




  • Thanks all for your feedback. If you have any points which adds more value to this blog, please suggest.




  • Hi Neeraj,


    Under Reports tab i don't think you will have any other tabs.


    Reports Tab Details


    Access Controls is used as a documental tool for Mitigating Controls, rather than a implementing tool, i.e. you apply the control against the role/user, but the actual application of the control is performed outside of Access Control. This may be realized by running a custom SAP report to monitor the usage of the risky functions within the ECC system etc.


    Action is for the t-code of the SAP Report. A brief explanation below will help in understanding


    If you have a mitigation control that Mr. Z will run X report using Y t-code on a frequent basis of monthly or quarterly and reviews the report.


    Then you need to give that Report name- X, in Action - Y T-code and frequency as Monthly/Quarterly. This helps for the system to check if the t-code has been executed or not in that frequency by the Monitor and generates a Alert [based on alert generation configuration]. If the monitor doesn't execute the action in backend in the set frequency, we will find an alert in Alert monitor- control monitoring, but if the monitor executes the action we will NOT get alert.


    The role of Monitor is to see whether everything that was risky from the access being mitigated is fine or not. That is, he/she would see to it that the user who has been given extra excess or conflicting access has not misused it. Every Mitigation control, for this purpose has a Monitor attached to it who does this job

    Action - This is some tcode a monitor has to execute in backend to see that reports.

    1. E.g. if someone is doing check payment entry(risk), and mitigation is done for a user/role, there must be a tcode where we can check what payments are made( sorry I am not well versed in FI Tcodes) , this tcode will be put in action tab and monitor will have to check it via that particular tcode.

    Frequency is simply what the period you want to set within which a monitor must perform this activity - say one week or one month.

    If a monitor doesn’t execute that action/tcode within that time, an alert will be generated and mail will be triggered to mitigation approver (indicating that supposed task is not being performed).

    Mitigating alerts check if a mitigation alert monitor has actually run the report that has been assigned in the control, in the defined period. He needs to have run that report at least once in order for this to work (so that CC can calculate the control period).



  • Hi Madhu,


    Thanks for your document!


    It is really very good . Your efforts are appreciated.


    Can you help me with below?


    I defined the mitigation controls with owners and monitors. Frequency is also maintained in them.


    I scheduled GRAC_ALERT_GENERATE this program in background on daily basis. My understanding was that, Control Monitor would receive email notifications if he fails to execute the reports/transaction codes in the target system.


    What is happening is that, daily on scheduled time, Control Owner is receiving email notifications with details of the control and their respective monitors. However, Control Monitors are not getting the email notifications!


    What do you think I missed?


    Proper email ids are maintained for all monitors in SU01 and email server is configured. Other ARQ email notification are duly sent.


    Do I have to run any other job for sending email notifications to control monitors?


    Can you advise?




  • Hi Madhu,


    Thank you for the document. I have a one remark on Reports tab.


    As per the document:

    "Reports" which are maintained in reports tab of mitigating control, will trigger an e-mail to the Mitigation approver if control monitor does not run that report with in the frequency mentioned.

    My Query:

    Can GRC AC has the functionality to check the back-end system whether control monitor execute the report or not with in the maintained frequency. I think this functionality is available in PC. Could you please clarify me on this part?

    Thanks in advance



  • Hi Madhu



    I created root entry , created a users in grc system with profile sap_all,Created an entry and selected owner type as Mitigation Monitor or Mitigation Approver in NWBC,

    while trying to assign user in owner tab in org , iam not able to find the those users in the search list..

    please suggest

    • Hi Khaleel,


      Please assign Control Approver and Control Monitor roles to your Users and test it. I assume SAP_ALL will not have GRC related authorization objects.







  • Hi Madhu,


    Thanks for this!


    I'm good with the above steps up until the last bullet point in step 2. You say, "Assign user in Owners tab...". I've tried this now multiple times in a variety of different ways, and it's not working.


    Essentially what happens is that I navigate to the Owners tab, add a row, input the name of a user that has already been defined as an owner, and click Save. The Organization window closes and a message appears at the top of the Organization Hierarchy window, "Organization updated successfully." However, when I open the organization up again, the user that I just entered and saved isn't there. No matter what I do, I can't get the system to actually save a user in the Owners tab!


    Any ideas about what I'm doing wrong??


    Thanks so much in advance!!


    • I would also like the answer to that. What is the "Users" tab for. If I have someone there, then I cannot assign this user in the "Owners" tab. Who knows what the tab Users does?

      Thanks so much in advance!

  • Hi All,


    Nice document it is, but my problem is that my mitigations is coming in non alphabetic order, when user is trying to mitigate the user so the list opens in LOV is in non alphabetic order, is their a way to change this settings so that monitor comes in right way

  • Hi All,

    I am having trouble getting the Mitigating Monitors to appear in the right order when mitigating.  We migrated from 5.3 and now in 10.1 when I add new Monitor in the Access Control Owners window it appears in alpha order by Owner ID, but when in the Organizations window (where I assigned the new monitor to the org hierarchy), he is appearing at the bottom of the list, but should not be. Also where I assign the Monitor to a Control he appears last. Hence the result is that when one goes to mitigate and assign a monitor, the list on Monitors to choose from is not in true alpha order.