- Before creating mitigating controls you need to create a Root Org entry, this replaces the Business Units in previous AC versions. Navigate to the IMG under Shared Master Data Settings and create a Root Org as shown below:
2. You will need to:
- Create User in SU01 master in GRC.
- Run the user sync jobs in GRC.
- NWBC - Access Management - Access Control Owners - Create an entry and select owner type as Mitigation Monitor or Mitigation Approver
- NWBC- Master Data – Organization - Assign user in Owner tab. After assigning the user to the organization then user can be maintained as Mitigation Approver/Monitor during Mitigation Control creation workflow.
3. Now create mitigation control from NWBC -> Setup -> Mitigation Controls -> Create
In SP13, when we are adding actions in the reports tab, an error message pop-up as shown below.
Without the report the mitigation saves without issue. I am also adding the Action value by clicking F4, searching and then adding it. To resolve this implement SAP Note: 1902129 - Unable to save Mitigation control after adding AC Report
Mitigation Monitor:Mitigation monitor is the one who would be checking whether mitigation is being performed. This monitoring can be done either manually or alerts can be sent to the monitor. "Reports" which are maintained in reports tab of mitigating control, will trigger an e-mail to the Mitigation approver if control monitor does not run that report with in the frequency mentioned.
Alerts can be set through the program mentioned below by executing the Tcode GRAC_ALERT_GENERATE.
Mitigation Approver:Mitigation Approvers are assigned to controls and are responsible for approving changes to the control definition and assignments when workflow is enabled. In GRC 10.0 we have predefined workflow for this. We need to maintain the below configuration settings in SPRO.
Below mentioned standard workflows needs to be enabled.
Issues with Deletion of Mitigation Controls or MC assignments:
When deleting Mitigation Controls or Mitigation control assignments, we used to a get a message task executed but deletion was not happening. After implementing the steps mentioned below issue was resolved.
1.Run transaction SM30
2. Display the view GRFNPARENT in change mode
3. Add new line
4. Entity = SUBPROCESS
5. Parent = ORGUNIT