If we mitigate a role and assign the role to a user, the risk will still appear in user level risk analysis, then what is the use of assigning mitigating control to the role?
If this is the case than I'll consider assigining mitigating controls only to users.