Skip to Content

Mass change of Mitigation Assignments

This document describes how to perform mass change of mitigation assignments. I would like to give you an overview how the down-/upload program for mitigations can be used and in which business scenarios it might be helpful.

Please note that the used programs to perform mass mitigations are available with AC 10.0 SP10. See also OSS note:

Problems which can be handled:

  • Change monitor of mitigating controls (e.g. replacements)
  • Change validity date
  • Change system
  • Add / Remove a huge number of mitigations
  • Activate / Deactivate a huge numbers of mitigations

The most complex scenario is to change a monitor of mitigating controls and this best practice process I would like to share in this document. All other scenarios are similar and can be handled analog to this.

Removing an existing monitor, who still monitors mitigations, must be changed before he can be removed from a control. The following error message will appear if you try to remove the monitor.


First we have to define the new monitor by adding a new row and define with assignment type = Monitor. Please be aware that the new monitor must be assigned to the organization unit and must be an owner (pre-requirements).


The following picture shows that BANZER_A is still monitoring an active mitigation for the user T-BANZER as we could see above. It is also possible that the user monitors more than one mitigation.


Updating all mitigations in NWBC would take some time and therefore you can use the following programs.

GRAC_DOWNLOAD_MIT_ASSIGNMENTS         To download all mitigations to a local file

GRAC_UPLOAD_MIT_ASSIGNMENTS               To upload all mitigations from a local file

Start the program via transaction SA38.


Beside user mitigations it is also possible to download profile, roles and role/user organizational mitigations. In this example we are going to change user mitigations and therefore we choose USER.


Personally I always download all mitigations as XLS file as it is easy to change the content with Excel (filter, search, etc.).


After downloading the file you will see all mitigations in the Excel. In my example I have only one mitigation for the user T-BANZER.


The structure of the file, as the titles are missing, is given below.


It is possible to update each column (system, validity, etc.) and also to add an additional lines for new user mitigations. Please be aware that the values are checked while uploading and wrong data will abort the upload.

As we can see in the following picture I have updated the monitor in column H to LIJA (user name of the new monitor).


After I am done with editing the file I save and upload via the upload program. Therefore I use again SA38.


Here it is also possible to upload user, role, profiles and organizational mitigations. Uploading mitigations can be done in two different modes. Append means the uploaded mitigations will be added to the existing, whereas overwrite will overwrite all existing mitigations. Please be aware if you have for example 1000 mitigations and you upload a single record and choose overwrite, all others will be deleted and the single mitigation is the only one existing in the system.

To avoid such scenarios I always download all mitigations to a file, copy the file, modify the copied and upload the modified file. In case if something goes wrong I can upload the old file.


If the file is uploaded successfully you will see the following message. Errors will also be reported.


In NWBC we had the following mitigation before uploading.


After uploading we can see the new monitor.


Now the old monitor can be removed and the mitigating control is successfully updated.


As mentioned above it is also possible to change other values in the local file such as validity date, systems, etc. which offers great functionalities to easily change a huge number of mitigations.

Let me know if you have other inputs to extend this document.

Best regards,


You must be Logged on to comment or reply to a post.
      • Hi Alessandro,


        i have seen this very good documentation.


        I have changed the Monitor user assignment to the risk.

        I have made an download of existing data, changed the monitor user there too.

        If I try to upload the file, I get an error message.

        Valid-to date can at line number 1…, 2…and so on.


        I don’t see which date the program means. The valid to date below “Mitigated User” is after the valid from date.


        Any idea?




  • Hi Alessandro, thank you for the tutorial very useful.

    One comment:

    What happen if I try to upload a Mitigation Control for a Risk that no longer exist?  Because the Mitigation is based on risks that can be eliminated in the meantime (the time between you decide to assign a mitigating control and when you actually do the mass import)

    Thanks again.

  • Hi Alessandro, thank you for the tutorial very useful.

    Can you please provide suggestions on below points:

    1. Mitigation report under Set-up tab is not giving right info on Updated by and Updated on fields. Sometimes its missing updates in mitigation controls -can you plz guide what can be the matter here?



    2. Any issues precautions preparations need to be done for PC 10 to 10.1 upgrade?



    Thanks and kind regards

  • Thanks for the guide, Alessandro – des hosch’ guat g’mocht.


    Hopefully SAP addresses the bug with the “end to” date.  There should never be a case where I can download existing mitigations as backup and then it fails to upload this same file because some mitigation assignments have expired – this is bad programming.


    The program checks that end date it AFTER start date – that is good!

    But it should NOT matter if the end date is in the past – this is a bug.

      • Hi Ying,


        Sorry, I have not followed up with SAP.  We worked around this by “appending” the updated mitigations and hoping that we don’t need to restore the backup fully. Nevertheless, if I get time, I may submit this to SAP as a bug.


        One additional note:  If mitigation monitors have changed, this will NOT be reflected in the assigned mitigations or the downloaded file.  When uploading the file, this field must be updated or the upload will fail.  I compare report GRC AC Reporting -> Access Risk Analysis Reports -> Mitigation Control Report with the download file and mass updated the monitor field before uploading.




        • Thanks Steven. I created message to SAP and below notes helps.


          2235825-Mitigation Assignment Upload Risk ID is

          2209729-Mitigation Control load incorrect Date format

          2094947-Invalid date format in GRAC_UPLOAD_MIT_ASSIGNMENTS causes inconsistencies

          2101309-Mitigation assignment upload throws Invalid Role error

          2172752-AC10.0 ARA SP20-Issue in upload mitigation-file location