Introduction

Request Mitigation Policy is basically a set of rules which can be used to control the GRC request approval behaviour when there are risk violations in the request based on “Risk Type”, “Risk Level” of the violations reported in the access request. Additional request parameters can also be included while customizing the Mitigation Policy Rules.


SAP delivers a predefined BRF+ Application and BRF+ rule mapping that decides the Risk Mitigation policy for GRC. You can either delete this mapping or change the BRF mapping as per your requirement to enforce the approver to mitigate the risk in a request.


Requirement

Usually customers will have requirement to mitigate only specific type of risks after running risk analysis at Stage Level. We have a requirement where our customer wants SoD risks (High, Medium and Low) to be mitigated and Critical Action (High, Medium and Low), Critical Permission Risks (High, Medium and Low) not required to be mitigated.


Solution

The MSMP Workflow Stage Task Setting Configuration Parameter is tied to a BRF+ Configuration


The configuration is available through the below mentioned path.
SPRO =>Governance, Risk and Compliance =>Access Control =>Maintain AC Applications and BRFPlus Function Mapping and check the mapping for application “Request Mitigation Policy”.


Under the Application Mapping, there is the Application ID: ‘Request Mitigation Policy’. The BRF Function for this App ID is maintained by default. The BRF+ rule is created to identify which risk requires mitigation and which risk does not require. If there is no BRF+ Rule created for Mitigation Policy, then please remove the entry from IMG.


If the “Request Mitigation Policy” entry is deleted from Maintain AC Applications and BRFPlus Function Mapping then GRC will not allow approvers to approve the request until all risks are mitigated.


Hence we have customized Request Mitigation Policy rule according to our requirement. Following are the steps:

Configuration Setting 1

Stage Level setting “Approver Despite Risk” is set to “No”


Configuration Setting 2

Parameter 1072 – Mitigation of critical risk required before approving the request is set as “NO”. Even if it set as “YES” mitigation policy will overwrite these settings based on mitigation policy rules configured in BRF+


Configuration Setting 3

SPRO =>Governance, Risk and Compliance =>Access Control =>Maintain AC Applications and BRFPlus Function Mapping and check the mapping for application “Request Mitigation Policy”.


Request Mitigation Policy is maintained and associated with MSMP Process ID “SAP_GRAC_ACCESS_REQUEST”


Open BRF+ in “Expert Mode” and if you are not in Expert mode use “Personalize” button to open in Expert Mode as shown below:


BRF+ Mitigation Policy application provided by SAP is “GRAC_BRFP_MIT_POLICY”.


Open the Function of the Mitigation Policy BRF+ application and create a top expression as “Decision Table”. This decision table is the place where you define your Mitigation Policy rules.


Verify your Decision Table entries, Save and Activate the Decision Table.

Save and activate Function and Application and once completed use Function Simulation to verify the results.


After this we have created a GRC request with SoD and Critical Action risk violations and approver was prompted to mitigated only SoD risks and after mitigating SoD risks requested can be approved without mitigating Critical Action Risk Violations.


Request has SoD risk violations which are not mitigated as shown below:


Request has Critical Action risk violations which are unmitigated as shown below:

When approver tried to approve the request GRC stopped the approval with the error message as shown below:

Approver Mitigated the SoD risk violations in the request.


After mitigating the SoD risk violations approver is able to approve the request without mitigating Critical Action risk violations

Critical Action risk violations are not mitigated and approver can approve the request

Mitigation Policy can be customized as per your requirements by creating different rules in the Mitigation Policy BRF+ application.

References


2212543 – How to enforce mitigation of only a specific type of Risk ID

1614290 – Risk Analysis Mandatory for Access Request

Thanks for reading.

Looking forward for your valuable inputs in updating/improving the blog with all relevant details 🙂

Best Regards,

Madhu Babu Sai

To report this post you need to login first.

4 Comments

You must be Logged on to comment or reply to a post.

  1. Rakesh Ram

    Hello Madhu,

    Great Work as Always….

    Thanks for Sharing

    When I am searching for the application GRAC_BRFP_MIT_POLICY I am getting the message No Application Found. Can you help me with this please?

    Regards,

    Rakesh Ram M

    (0) 
  2. Artem Ivashkin

    Hello Madhu,

    Thank you for the article. It’s a pity, but just yesterday I played with Mit.Pol and before I hadn’t seen your post. Let me share a bit of my experience, perhaps you will include it into your article.

    When I followed to note 2212543, I faced with the error “Not a valid BRF plus ID”. In accordance with the note 1637515 you should copy it from 000 client. This note, by a some, reason is a hardly-find note on SMP, but it really helpful. However, maybe it’s valid only for my version of GRC – 10 SP22. BTW, what is your version you customized on?


    I tried to configure obligatory mitigating of any kind of risks, unfortunately, the only solution that works is to remove the string with Mit.Pol. Initially I configured the rule 80E0ED08B0561DEFA4FCEAD405569CF3 and assigned it to SAP_GRAC_ACCESS_REQUEST process. It seemed that my system ignored rule at all.

    Regards,

    Artem

    (0) 

Leave a Reply