Mitigation Controls creation and assignment in SAP GRC 12.

0
Purpose of the document:

Creation and assignment of Mitigation Controls in SAP GRC 12.0. This document describes the
Mitigation configuration process in GRC12 Access Control very simply and easily.

What is Mitigation?

Mitigation allows you to mitigate certain risk violations that you want to make available to specific
users or roles. This is done by creating and assigning a Mitigation Control.

Why is Mitigation required?

you can use mitigation controls when it is not possible to separate Segregation of duties SoD from
the business process.

Use

You can use Mitigating Controls to associate controls with risks and assign them to users, roles,
profiles, or HR objects. You can then define individuals as control monitors, or approvers, and assign
them to specific controls. You can also create organizations and business processes to help categorize
mitigating controls.

Using the Mitigating Controls section, you can complete the following tasks:

• Create mitigating controls (that you cannot remove)

• Assign mitigating controls to users, roles, and profiles that contain a risk
• Establish a period during which the control is valid
• Specify steps to monitor conflicting actions associated with the risk
• Create administrator, control monitors, approvers, and risk owners, and assign them to
mitigating controls

Now we will learn how to create and assign a Mitigation.

Step 1) As a pre-requisite, the two Owners (Normal Dialog User IDs) should be created under SU01
and assigned the below Roles.

GRC Controller Roles under PFCG

and should be maintained under Path, NWBC > Setup > Access Owners > Access Control Owners, as
below.
Assign one as Mitigation Monitors and Second as Mitigation Approvers

Owners Assignment
Now Save and Close.
Step 2) Now, we will be creating Root Organization

Path: SPRO > GRC > Shared Master Data Setting à Create Root Org Hierarchy

SPRO T code

Give the name as per your requirement and execute.

Step 3) Now, Goto NWBC > Setup and maintain data for Root Organization
 Under NWBC

Open the Organization you created.

Details for General and Owners Tabs are compulsory

In Owners Tab maintain the Users which we have created in Step -1.

Step 4)

Now, we will create a Mitigation Control Id

Goto NWBC > Setup > Mitigation Control

maintain the details

Give the Risk ID under Access Risks which you wanted to Mitigate. One Mitigation ID can be used to
Mitigate multiple Risks.

Risk Id assignment

In the Owners tab maintain the same two users which we had created in Step -1. One as Approver
and another as Monitor.

Owners Assignment

We have created Mitigation Control Id now Save and close this tab.

Step 5)

Now we will assign this Mitigation Control Id to the User who has a Risk.

Goto Mitigated User under Access Management under NWBC.

Goto Assign tab and fill in all the required details, we already created the Control ID, Monitor, and
Approver, same we can maintain here, also give the user Name that you want to mitigate and click on
save.

User Mitigation

Step 6)
We may now proceed with Risk Analysis

Maintain all required details.

Upon executing Risk Analysis it will through as no Violation.

Risk Analysis

The user is Mitigated, we achieved our goal, and we learned End to end-to-end process of Mitigation
creation and assignment here. Hope this document will help you to learn the mitigation Process.