Skip to Content

Provisioning Roles only after Risks have been mitigated

Jul 28, 2017 at 08:33 PM


avatar image


I have completed most of my provisioning workflow tasks with much success, but have run into the below issue that i cannot find any information on here and have not been able to resolve.

When I create a request for a user that contains a role with a risk that should go through the remediation process with an existing mitigating control, currently the role owner is able to approve that role for assignment and it provisions without forcing the approver to assign a mitigating control which would then prompt my "Mitigation Assignment" workflow to start.

If I assign a control on my own it will trigger the "mitigation assignment" workflow as normal but I need this to be a mandatory feature as role owners if left to their own devices will just approve the access most times.

In 5.3 this was standard and a request could NOT continue until after a Risk was mitigated and then reviewed by a compliance officer.

my Risk Analysis config settings:

The request showing the High Risk Levels but allowing the role owner to still approve it and provision even with the risk.

On a side note I updated my original workflow to have an escape route for the GRAC_MSMP_DETOUR_SODVIOL thinking that maybe it was missing the workflow to prompt the SOD initiator but even when up update the role owner Stage with this, and create a new route for the SOD detour it still provisions without forcing a mitigating control.

Here are those stage updates...

Any help would be appreciated.


10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Best Answer
Yashasvi Sanvaliya Aug 04, 2017 at 08:13 AM

Hello Micheal,

What is your GRC version, please check if any of these NOTEs would be helpful for you:

2360878 - GRC AC : Access Request is getting approved with unmitigated risks
1587489 - Allows Approval without mitigation

1667440 - AC10 - Workflow Stage Task Settings for 'Approve Despite Risks'

Kind regards,


Show 2 Share
10 |10000 characters needed characters left characters exceeded


I am currently on the latest Service pack. GRCPINW 10.1 V1100_731 SP18

All of the notes you provided are included in previous releases or no longer valid.



Actually the following did resolve my issue:

1667440 - AC10 - Workflow Stage Task Settings for 'Approve Despite Risks

The MSMP process was not filled in on this after the BC set was activated. I deleted Appl ID 3 (which was missing the workflow) and then recreated it with the same BRF Function ID and then updated with the SAP_GRAC_CONTROL_MAINT workflow and this is now working.

config-pics.jpg (11.1 kB)
Ramesh Vithanala Jul 28, 2017 at 11:06 PM

Hi Micheal,

Did you enabled the Param ID 1061 & 1062?



Show 1 Share
10 |10000 characters needed characters left characters exceeded

Yes there are set as in the attached screen shot.

config2.jpg (33.1 kB)