Skip to Content

Provisioning Roles only after Risks have been mitigated


I have completed most of my provisioning workflow tasks with much success, but have run into the below issue that i cannot find any information on here and have not been able to resolve.

When I create a request for a user that contains a role with a risk that should go through the remediation process with an existing mitigating control, currently the role owner is able to approve that role for assignment and it provisions without forcing the approver to assign a mitigating control which would then prompt my "Mitigation Assignment" workflow to start.

If I assign a control on my own it will trigger the "mitigation assignment" workflow as normal but I need this to be a mandatory feature as role owners if left to their own devices will just approve the access most times.

In 5.3 this was standard and a request could NOT continue until after a Risk was mitigated and then reviewed by a compliance officer.

my Risk Analysis config settings:

The request showing the High Risk Levels but allowing the role owner to still approve it and provision even with the risk.

On a side note I updated my original workflow to have an escape route for the GRAC_MSMP_DETOUR_SODVIOL thinking that maybe it was missing the workflow to prompt the SOD initiator but even when up update the role owner Stage with this, and create a new route for the SOD detour it still provisions without forcing a mitigating control.

Here are those stage updates...

Any help would be appreciated.


Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

2 Answers

  • Best Answer
    Aug 04, 2017 at 08:13 AM

    Hello Micheal,

    What is your GRC version, please check if any of these NOTEs would be helpful for you:

    2360878 - GRC AC : Access Request is getting approved with unmitigated risks
    1587489 - Allows Approval without mitigation

    1667440 - AC10 - Workflow Stage Task Settings for 'Approve Despite Risks'

    Kind regards,


    Add comment
    10|10000 characters needed characters exceeded

    • Yashasvi,

      Actually the following did resolve my issue:

      1667440 - AC10 - Workflow Stage Task Settings for 'Approve Despite Risks

      The MSMP process was not filled in on this after the BC set was activated. I deleted Appl ID 3 (which was missing the workflow) and then recreated it with the same BRF Function ID and then updated with the SAP_GRAC_CONTROL_MAINT workflow and this is now working.

      config-pics.jpg (11.1 kB)
  • Jul 28, 2017 at 11:06 PM

    Hi Micheal,

    Did you enabled the Param ID 1061 & 1062?



    Add comment
    10|10000 characters needed characters exceeded