Skip to Content

Creating Mitigating Control at Rule Level vs Role & User Level Analysis

Hello GRC Gurus,

We are on GRC V10.1 & SP9,I think the following question will be applicable to all GRC version irrespective of the SP Level.

We Created a Mitigation Control for the Risk S020 and Rule 0019 & 0018 as per the SAP Standard Note

1600667 : Transaction that conflict with themselves

and we have not assigned the mitigating control at user level or role level.

The question I have here is when there is a mitigating control for risk S020 and Rule 0018 & 0019,why they are not populating at user level or role level risk analysis.The Risk and Rule are common irrespective if we run risk analysis at User level or Role Level. I think it should populate the mitigation control if there is one? If not I can assign one.

I agree if we mitigate at user level or role level, I am able to see the Mitigation Control at user level or role level risk analysis.

I hope I am not confusing anyone, can you please let me know if any one thought of this or its a SAP standard behavior.



Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Oct 27, 2015 at 06:29 PM


    Make sure you are looking at the DETAIL view when you select these lines as they are only valid for those combinations of actions.  I usually recommend that you only mitigate at the risk level as it usually the same report / mitigation that is needed for any action combination in the risk.

    Your selection to mitigate on the request risk analysis needs to match what you have listed to mitigate.


    Kevin Tucholke

    SAP America

    Add comment
    10|10000 characters needed characters exceeded

    • Kevin,

      Thank you for your reply, I looked at the Permission Level with Detailed report and I am still not seeing the Mitigating Control for the same risk S020 & same rule 0018 & 0019.

      I tried by selecting the Mitigation Analysis radio button too.