Skip to Content
avatar image
Former Member

GRC CUP 5.3 SP16, detour path not working for SOD violations


Something bazaar is going on in our requests processing and not sure if that's the way SAP has set it up.

We configured a detour path for requests with SOD violations to go to the additional stage of 'SOX Approver' but the first stage (manager) does the risk analysis and Mitigation assignment and then it goes to Role owner approver that approves the roles access. Once the role owner approves the roles , if the request had SOD violations, even if the mitigation was selected and approved by the manager stage, it needs to go to the SOX approver stage to approve the mitigation assignment before the request can be auto provisioned for any requests that had sod violations.

But it seems to skip the sox approver detour path stage after the role owner approval and go directly to auto provisioing. I thought that any requests that had sod violations inspite of having mitigation assignment in a previous stage can be detoured to the next path for SOX approval and then auto provisioned. Since SAP doesn't give different approval option to approve mitigation vs. approve roles, wherever you make the risk analysis mandatory, that's where the mitigation controls have to be assigned. But we want the option to detour the path to SOX approver to approve those mitigation controls b4 auto provisioning the request.

Any idea of how to fix this?

Is the detour only going to work if the mitigation wasn't assigned? But then how can you get approval for the mitigation on a different stage if the same person has to assign and approve that?

Will appreciate any feedback in this.



Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • avatar image
    Former Member
    Sep 21, 2011 at 06:42 AM

    Hi Alley,

    Have you created the workflow stages for mitigation control maintenance and assignments in CUP. Enable the configuration settings in RAR under workflow for the mitigation control maintenance.

    This might help you in triggering the workflow for mitigation control assignments

    So, far detour is concerned it will trigger the workflow only if mitigation controls are not assigned as the condition itself is SoD violations if Yes - trigger de-tour

    Please check with the above options if it is working or not

    Thanks and Best Regards,


    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      I was actually able to resolve the issue by adding the role approver stage first to the sox approver detour path.. this way..if the manager has roles with sod violations and updates mitigations for it, it goes to the role approver via detour path as well first and then to the sox approver stage b4 auto provisioining. So, that solved our problem. And if the request doesn't have SOD violations then it just goes to the next stage without detour which also has the role approver as the last stage.

      Since I couldn't get the sox approver stage to show up after the role approver as originally anticipated since the request already had mitigation assigned at the manager level, we did the above scenario to fix the issue.

      Requestor >Manager ->Role Approver-->auto provisioning (without SOD violations)

      Requestor >Manager > Detour (Role Approver >SOX Approver) ->Auto Provisioning (with SOD violations)