Skip to Content
author's profile photo Former Member
Former Member

Mitigation assignment approval in Access Request Workflow

Hi Guys,

I am currently implementing GRC for one of the clients. I have a question with respect to Mitigation assignment approval in Access Request Workflow.

Below is the Scenario,

1) User Submits the request

2) Manager Approves

3) Role Owner runs the SOD & finds SOD violations. Role Owner assigns the mitigation controls & approves the request


Once the role owner approves , depending on the mitigation controls assigned , can this request be routed to the mitigation control owner for approval in next stage? is this configurable with out custom BRF+ rules ? I know there is a workflow separately (SAP_GRAC_CONTROL_ASGN) for approval of assignment which I suppose is out side of the Access request workflow.

Please suggest.

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Jul 24, 2014 at 02:21 AM

    Hi Alessandro,

    Thanks a lot for your reply.

    So from what i understand : Once the role owner assigns the mitigation, new workflow is triggered for mitigation control assignment approval .

    The role owner must wait until this has been approved by the mitigation approver through the other workflow.

    When mitigation assignment is approved , role owner would approve the access request.

    So all i need to do is to activate the SAP_GRAC_CONTROL_ASGN workflow for this scenario to work.

    Correct me if i am wrong.

    Add a comment
    10|10000 characters needed characters exceeded

    • Pavan,

      more or less - as the control assignment workflow is independent the access request doens't wait. So if the role owner set a mitigation the control workflow starts. If you allow the role owner to approve the access request with risks, means if the risk isn't mitigated, then the role owner can proceed.

      To have your scenario working you must set the following in Access Request workflow: Role Owners are not allowed to approve as long as there are risks. All risks must either be remediated or mitigated before approval. That means if the role owner sets a mitigation the assignment workflow starts. As soon as the mitigation is valid (final approval) the access request can be approved.

      Technically both workflows are independent and don't have a relation to each other. But with some settings you can combine them.

      Does this answer your question?



  • Posted on Jul 23, 2014 at 08:41 AM

    Hi Pavan,

    that's not possible with standard functionality. As you've mentioned you can use the Control Assignment workflow but that starts a new workflow and doesn't affect the access request workflow. So if you put a mitigation and the control assignment workflow starts, the access request workflows goes to its next stage. It is then possible that the control assignment gets rejected but that doesn't affect the access request.

    To build up your requirement you have to use BRF+ rules.

    Hope this helps.



    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.