The scenarios is as follows. We modified a role (that has been assigned to multiple users) with a new transaction. We ran risk analysis and remediation and on the role and there were no risks within the role. When we ran the monthly report of users with SOD risks, new users popped up. It turns out that the addition of the transaction caused a SOD conflict not within the role modified, but within two different roles that were assigned to certain users. Long story short, our internal controls team worked with the business unit and created a mitigating control.
Now here comes the question. In GRC RAR, how does one add a new mitigating control to a user. I understand that normally CUP is responsible for doing this with new requests, but since the change was as the role level rather than the user level, is there a way to manually (manually meaning not using CUP) to add the mitigating control to a user? Or would we really have to re-request a role in order for GRC to pick up a risk then assign the mitigating control through CUP (not very practica).
I looked around in RAR and found that under the Mitigation Tab >> Mitigated Users >> Click Search (will bring up all users with mitigating controls) >> then there is ADD, CHANGE, and DELETE, but it is grayed out. I added all the portal roles to myself in GRC, but nothing gave me the access to click on those tabs. So this definitely does not seem like an authorization issue.
Thank you for your help,