- Before creating mitigating controls you need to create a Root Org entry, this replaces the Business Units in previous AC versions. Navigate to the IMG under Shared Master Data Settings and create a Root Org as shown below:
2. You will need to:
- Create User in SU01 master in GRC.
- Run the user sync jobs in GRC.
- NWBC – Access Management – Access Control Owners – Create an entry and select owner type as Mitigation Monitor or Mitigation Approver
- NWBC- Master Data – Organization – Assign user in Owner tab. After assigning the user to the organization then user can be maintained as Mitigation Approver/Monitor during Mitigation Control creation workflow.
3. Now create mitigation control from NWBC -> Setup -> Mitigation Controls -> Create
In SP13, when we are adding actions in the reports tab, an error message pop-up as shown below.
Without the report the mitigation saves without issue. I am also adding the Action value by clicking F4, searching and then adding it. To resolve this implement SAP Note: 1902129 – Unable to save Mitigation control after adding AC Report
Mitigation Monitor: Mitigation monitor is the one who would be checking whether mitigation is being performed. This monitoring can be done either manually or alerts can be sent to the monitor. “Reports” which are maintained in reports tab of mitigating control, will trigger an e-mail to the Mitigation approver if control monitor does not run that report with in the frequency mentioned.
Alerts can be set through the program mentioned below by executing the Tcode GRAC_ALERT_GENERATE.
Mitigation Approver: Mitigation Approvers are assigned to controls and are responsible for approving changes to the control definition and assignments when workflow is enabled. In GRC 10.0 we have predefined workflow for this. We need to maintain the below configuration settings in SPRO.
Below mentioned standard workflows needs to be enabled.
Issues with Deletion of Mitigation Controls or MC assignments:
When deleting Mitigation Controls or Mitigation control assignments, we used to a get a message task executed but deletion was not happening. After implementing the steps mentioned below issue was resolved.
1.Run transaction SM30
2. Display the view GRFNPARENT in change mode
3. Add new line
4. Entity = SUBPROCESS
5. Parent = ORGUNIT
Mitigation Control Assignment Workflow
In GRC we have standard SAP provided workflow for Mitigation control assignment. I have come across few queries w.r.t this workflow as the mitigation assignment approver is not able to view the details as the “VIEW DETAILS” button is greyed out as shown in below screen.
SAP has confirmed that this is the standard functionality and has release a note to inform all the users. Please check the below note for the same.
Mitigation Controls – Deleting Root org. Issues
When few users tried to delete the root organizations which were created as part of creating mitigation controls through Tcode PPOM, they were getting some error message as shown below.
Assignment to subordinate objects (Organizational unit ABCD, for example), not possible
Execute the report RHRHDL00 and from here try to delete the root. orgs and the issue will be fixed and they will be removed. But one thing to make sure is all the all the objects under the root org are deleted prior to this.
Transport Organizational Units & Mitigation Controls
There is no Transport Mechanism to move the Business Units/Organizational Units & Mitigation Controls
from one Landscape to another Landscape in GRC Suite, because it is Master Data.
There is no Download & Upload functionality available for these Controls to move from one Landscape
to another. Organizational Units & Mitigation Controls are tied together as these are shared among
GRC Access Controls & Process Controls.
You need to recreate it in Destination Environment as Transport/Movement is not possible.
When you create the Organizational Unit with the Description in GRC, the System will generate a
unique number for Organization Unit, which will be different for each system. That was the
reason, we need to recreate Organizational Unit in each System.
But, Mitigating Control Assignments of User/Role/Profile/User Org/Role Org can downloaded from
one Landscape & can upload it to another Landscape.
Most convenient way to change existing mitigations is to use standard ABAP program for download and upload.
Go to SA38 and use the following programs:
Once you have downloaded the full list into an Excel file you can do your adjustments and upload it again. Hope this would be helpful.
For understanding the Mitigation control life cycle, please go through the below blog by Alessandro for basic and process oriented understanding for Mitigation control Lifecycle