Skip to Content
0

Approver for SOD risks in Access Request

Jul 14, 2017 at 09:07 PM

261

avatar image

Hello all,

I am implementing the following scenario When user submits access request, request checks for SOD conflicts and if there is a SOD conflict(s) it should detour to SAP standard SOD_VIOLDETOUR_PATH path (rule: GRAC_MSMP_DETOUR_SODVIOL) and if not it will get the Role Owner approval

I have the following questions,

1. When configuring the default stage level for SOD_VIOLDETOUR_PATH, i did not see any SAP standard approver (Risk Owner, Mitigation approver) as agents and wanted to know how others link Mitigation approver or Risk Owner here

2. As per note "1670504 - UAM: Risk Owner Wokrflow Agent - Class Based Rule" i like to implement the Risk Owner agent rule, but usually Mitigation approver is the one who adds and approves the mitigation for the users so why SAP thinks Risk Owner should be the approver instead for Mitigation approver.

3. If i want to create a custom agent and make mitigation approver as the approver in access request, then how to i link that custom agent to Mitigation approvers specified in the Risks. (do we need to write any custom FM)

Thanks,

Sri.

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Best Answer
Madhu Babu Sai #MJ Jul 16, 2017 at 03:50 PM
0

Hi Sri,

Please find replies to your queries inline below:

1. When configuring the default stage level for SOD_VIOLDETOUR_PATH, i did not see any SAP standard approver (Risk Owner, Mitigation approver) as agents and wanted to know how others link Mitigation approver or Risk Owner here.

<Madhu> Usually when there are risk violations the request will be routed to the approver who can understand the violations in the request (either Compliance Team or Access Control Admin or Supervisors) and this approver will submit the control assignment request from the risk analysis tab which will go to Mitigating Control Owner for approval. The problem with this approach is mentioned in the below link. Please check

https://influence.sap.com/D8577

2. As per note "1670504 - UAM: Risk Owner Wokrflow Agent - Class Based Rule" i like to implement the Risk Owner agent rule, but usually Mitigation approver is the one who adds and approves the mitigation for the users so why SAP thinks Risk Owner should be the approver instead for Mitigation approver.

<Madhu> Risk Owner agent might not be a very good approach. Assume that your request has 10 risk violations and each risk has different risk owners then technically you need to route your request to 10 risk owners for approval. Instead may be you can define a team (Risk Compliance Team) and route the request to this team of approvers (using PFCG User Group/Role agent) whenever there are SoD risk violations and these approvers can immediately assign the control or reject the request based on risk violations in the request. To achieve this scenario do not enable Control Assignment request workflow and provide access to assign controls only to the approvers in risk compliance team.

3. If i want to create a custom agent and make mitigation approver as the approver in access request, then how to i link that custom agent to Mitigation approvers specified in the Risks. (do we need to write any custom FM)

<Madhu> Create a new custom function module or BRF+ rule for determining the Mitigation Approver (this can be based on risks in the request or can be a Mitigation Team) and route the request to this team of approvers whenever there are SoD risk violations and these approvers can immediately assign the control or reject the request based on risk violations in the request. To achieve this scenario do not enable Control Assignment request workflow and provide access to assign controls only to the approvers in Mitigation team.

Let me know if you have any queries.

Regards,
Madhu

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Thanks Madhu for very detailed explanation. I will go with the first option as it won't stop users from getting the access and also at the same time the Mitigation approvers are notified via workflow for mitigating the risk.

I did setup parameter 1062(Mitigation Assignment) to "YES" and also i did set up parameter 1072 (Mitigation of Critical risk required before approving the request) to "NO" so that we can approve the request before mitigating the risks. Also one question, if the Mitigation requests is rejected will there be any notification to the approver who assigned the request to mitigation approvers?

Thank you,

Sri.

0
Plaban Sahoo Jul 17, 2017 at 04:45 AM
0

Hi,

2. Risk Owner are the owners of the risk, who would have authority on acceptance(via mitigation) or denial of risk. If Mit. control for the risk exists, then the Risk Owner should be able to trigger a assignment workflow to mitigation approver. So, Assignment approval workflow, should be active, and Mitigation Approver should be separate owner from Risk Owner..

This maintains SOD between Risk Owner and Mitigation approver.

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Thanks Pablo, if the request is approved and mitigation approver rejects the mitigation request will there be any notification sent to the approver requested for Mit Cntrl? Do they have to then submit another request for role removal?

Thanks,

Sri

0