We have setup the following:
W1) AE Workflows + Mitigation of CC Risks through AE
W2) CC Control Creation Workflows in AE
W3) CC Mitigation Object Workflows in AE
W4) CC Risk Creation Workflows in AE
The challenge is as follows:
When a manager is required to approve an access request which has
reported Risk violations the manager has to do one or more compliance
A) mitigate the risk
B) create a control (if it doesnt exist) and then mitigate the risk
We expect theoritically that when Action (A) is taken is should trigger
W3 and that when Action (B) is taken is should trigger W3 and W4.
However, we are finding that it does neither.
Please advise on whether we are have overlooked required configuration
or whether this functionality does not exist.
Steps for the Reconstruction
Setup W1, W2, W3, W4
Request a new user account through AE and assign a role that generates
a violation with no existing controls.
Through AE in one of the workflow stages have the approver select
mitigate risk -> create the risk -> save the mitigation.
Check Compliance Calibrator:
Expected --> Two new workflows and the control should not exist in CC
Actual Observed --> New new workflows and control exists with the
mitigated user in the table