Skip to Content

ARM request approved before Mitigation Control assignment rejection


I am implementing the following MSMP WF.

1. user submits request and then SAP security will run the risk analysis and mitigate the Risks (creates a separate WF for Mitigation Control Approver) and then approves the request. Then it goes to the next stage for final approval. I did set the parameter 1072 to "NO" because of the approval timeline issue.

Now what if the the request gets approved and roles are assigned to the user and then the Mitigation Control assignment is rejected. How should i manage this situation. Once the Mitigation Control is rejected will it automatically create another request to remove the role or do i have to set notification to security team so that we initiate another request to remove the roles where mitigation is rejected.

Please let me know how should i proceed with this.


Sri S

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Oct 27, 2017 at 09:45 PM


    did you consider having the approval of the mitigation approver in the actual access request (rather than in the mitigation approval workflow)? In that way you can control the outcome of the role assignment. You can define a routing from your Security stage in case mitigations were set, then route to the mitigation approver who can either approve or reject the request/roles. By doing that, everything is captured in one request which increases the trace-ability of the steps involved. Also, it avoids unwanted/unapproved access in the system.

    Looking forward to hear your thoughts on that.

    Cheers, Alessandro

    Add comment
    10|10000 characters needed characters exceeded

    • Sorry for the delayed response, Thanks a lot Alessandro. but when i tried to add "GRAC_MSMP_MITIG_APPROVER_AGENT" rule for "GRAC_CONTROL_ASSIGNMENT_APPROVER" agent in SAP_GRAC_ACCESS_REQUEST" Process ID i am getting the error "Enter Valid Rule-ID". I will work on this.

      Thank you,

      Sri S

  • Oct 26, 2017 at 08:49 AM

    Hello Sri,

    As you are not restricting request approval at 1st stage (Security), you can still do it for second stage.

    in MSMP For second stage, please set

    RA mandatory as YES

    DO not check the checkbox "Approve Despite Risk"

    Kind regards,


    Add comment
    10|10000 characters needed characters exceeded

    • Thank you yashasvi,

      We do not want to uncheck "Approve Despite Risk"

      1. because of the timeline issue with the approvals and we only want to mitigate the high risks.../Medium and low are ok (what if we uncheck "approve despite risk" will it only check the ones we send for mitigation approval(high) or will it check all risks in the request.

      2. Also Users need access in no time and it may take time in-order to get mitigation approval if there are multiple High risks exists in one request.

      In general i would like to know is there any other way or do we have to manually check everyday for non-mitigated users.

      Thank you,