Skip to Content
0

ARM request approved before Mitigation Control assignment rejection

Oct 25, 2017 at 11:00 PM

73

avatar image

Hi,

I am implementing the following MSMP WF.

1. user submits request and then SAP security will run the risk analysis and mitigate the Risks (creates a separate WF for Mitigation Control Approver) and then approves the request. Then it goes to the next stage for final approval. I did set the parameter 1072 to "NO" because of the approval timeline issue.

Now what if the the request gets approved and roles are assigned to the user and then the Mitigation Control assignment is rejected. How should i manage this situation. Once the Mitigation Control is rejected will it automatically create another request to remove the role or do i have to set notification to security team so that we initiate another request to remove the roles where mitigation is rejected.

Please let me know how should i proceed with this.

Thanks,

Sri S

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Best Answer
Alessandro Banzer
Oct 27, 2017 at 09:45 PM
0

Sri,

did you consider having the approval of the mitigation approver in the actual access request (rather than in the mitigation approval workflow)? In that way you can control the outcome of the role assignment. You can define a routing from your Security stage in case mitigations were set, then route to the mitigation approver who can either approve or reject the request/roles. By doing that, everything is captured in one request which increases the trace-ability of the steps involved. Also, it avoids unwanted/unapproved access in the system.

Looking forward to hear your thoughts on that.

Cheers, Alessandro

Show 3 Share
10 |10000 characters needed characters left characters exceeded

Thanks a lot Alessandro, you are very helpful as always.

I have one more question. If i include Mitigation approver stage then will the risks be mitigated immediately by mitigation approver(instead of submit button) If i set parameter 1062 to"No"

Also if i have 10 risks (different mitigation approver for each risk) then how to hold the request until all the high risks are mitigated/approved? (we only want High Risks to be mitigated and ignore low, medium). If i set to "All approvers" instead of "any one approver" but then "all approvers" approval may not be required in case we have only 2 mitigations instead of all all 10.

Is there any way that request forwards the approval to only those mitigation approvers based on the outcome of risk analysis.

Thank you,

Sri,

0

Hi Sri,

either configuration works. I see it as following (just as an example):

- Requester requests 3 roles whereas 2 roles create a conflict

- Security assigns the mitigations and approves the request. Detouring rule gets triggered since SOD violations/mitigations are present in the request. The detouring will work on role level which means only roles creating SOD violations are detoured to the mitigation monitors.

- The mitigation monitors is one stage with several approvers. You can set that all approvers have to approve the request in order to get through.

Let me know if you need further details.

Cheers, Alessandro

0

Sorry for the delayed response, Thanks a lot Alessandro. but when i tried to add "GRAC_MSMP_MITIG_APPROVER_AGENT" rule for "GRAC_CONTROL_ASSIGNMENT_APPROVER" agent in SAP_GRAC_ACCESS_REQUEST" Process ID i am getting the error "Enter Valid Rule-ID". I will work on this.

Thank you,

Sri S

0
Yashasvi Sanvaliya Oct 26, 2017 at 08:49 AM
0

Hello Sri,

As you are not restricting request approval at 1st stage (Security), you can still do it for second stage.

in MSMP For second stage, please set

RA mandatory as YES

DO not check the checkbox "Approve Despite Risk"

Kind regards,

Yashasvi

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Thank you yashasvi,

We do not want to uncheck "Approve Despite Risk"

1. because of the timeline issue with the approvals and we only want to mitigate the high risks.../Medium and low are ok (what if we uncheck "approve despite risk" will it only check the ones we send for mitigation approval(high) or will it check all risks in the request.

2. Also Users need access in no time and it may take time in-order to get mitigation approval if there are multiple High risks exists in one request.

In general i would like to know is there any other way or do we have to manually check everyday for non-mitigated users.

Thank you,

Sri,

0