cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ARM request approved before Mitigation Control assignment rejection

Go to solution
sreekanth_sunkara
Active Participant

on ‎10-26-2017 12:00 AM

0 Kudos

Hi,

I am implementing the following MSMP WF.

1. user submits request and then SAP security will run the risk analysis and mitigate the Risks (creates a separate WF for Mitigation Control Approver) and then approves the request. Then it goes to the next stage for final approval. I did set the parameter 1072 to "NO" because of the approval timeline issue.

Now what if the the request gets approved and roles are assigned to the user and then the Mitigation Control assignment is rejected. How should i manage this situation. Once the Mitigation Control is rejected will it automatically create another request to remove the role or do i have to set notification to security team so that we initiate another request to remove the roles where mitigation is rejected.

Please let me know how should i proceed with this.

Thanks,

Sri S

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

alessandr0
Active Contributor
‎10-27-2017 10:45 PM
0 Kudos

Sri,

did you consider having the approval of the mitigation approver in the actual access request (rather than in the mitigation approval workflow)? In that way you can control the outcome of the role assignment. You can define a routing from your Security stage in case mitigations were set, then route to the mitigation approver who can either approve or reject the request/roles. By doing that, everything is captured in one request which increases the trace-ability of the steps involved. Also, it avoids unwanted/unapproved access in the system.

Looking forward to hear your thoughts on that.

Cheers, Alessandro

Show replies
Show replies
sreekanth_sunkara
Active Participant
‎10-27-2017 11:59 PM
0 Kudos

Thanks a lot Alessandro, you are very helpful as always.

I have one more question. If i include Mitigation approver stage then will the risks be mitigated immediately by mitigation approver(instead of submit button) If i set parameter 1062 to"No"

Also if i have 10 risks (different mitigation approver for each risk) then how to hold the request until all the high risks are mitigated/approved? (we only want High Risks to be mitigated and ignore low, medium). If i set to "All approvers" instead of "any one approver" but then "all approvers" approval may not be required in case we have only 2 mitigations instead of all all 10.

Is there any way that request forwards the approval to only those mitigation approvers based on the outcome of risk analysis.

Thank you,

Sri,

alessandr0
Active Contributor
‎10-31-2017 6:25 PM
0 Kudos

Hi Sri,

either configuration works. I see it as following (just as an example):

- Requester requests 3 roles whereas 2 roles create a conflict

- Security assigns the mitigations and approves the request. Detouring rule gets triggered since SOD violations/mitigations are present in the request. The detouring will work on role level which means only roles creating SOD violations are detoured to the mitigation monitors.

- The mitigation monitors is one stage with several approvers. You can set that all approvers have to approve the request in order to get through.

Let me know if you need further details.

Cheers, Alessandro

sreekanth_sunkara
Active Participant
‎11-06-2017 10:49 PM
0 Kudos

Sorry for the delayed response, Thanks a lot Alessandro. but when i tried to add "GRAC_MSMP_MITIG_APPROVER_AGENT" rule for "GRAC_CONTROL_ASSIGNMENT_APPROVER" agent in SAP_GRAC_ACCESS_REQUEST" Process ID i am getting the error "Enter Valid Rule-ID". I will work on this.

Thank you,

Sri S

Answers (1)

Answers (1)

former_member226273
Active Participant
‎10-26-2017 9:49 AM
0 Kudos

Hello Sri,

As you are not restricting request approval at 1st stage (Security), you can still do it for second stage.

in MSMP For second stage, please set

RA mandatory as YES

DO not check the checkbox "Approve Despite Risk"

Kind regards,

Yashasvi

Show replies
Show replies
sreekanth_sunkara
Active Participant
‎10-26-2017 10:36 PM
0 Kudos

Thank you yashasvi,

We do not want to uncheck "Approve Despite Risk"

1. because of the timeline issue with the approvals and we only want to mitigate the high risks.../Medium and low are ok (what if we uncheck "approve despite risk" will it only check the ones we send for mitigation approval(high) or will it check all risks in the request.

2. Also Users need access in no time and it may take time in-order to get mitigation approval if there are multiple High risks exists in one request.

In general i would like to know is there any other way or do we have to manually check everyday for non-mitigated users.

Thank you,

Sri,

Ask a Question