Make Sure Ineffective Mitigation Controls in SAP Process Control Don't Live On in SAP Access Control

  • by Neha Garg, Senior Developer, SAP Labs India Pvt. Ltd.
  • December 11, 2017
In the integration scenario between SAP Access Control and SAP Process Control, mitigation controls created in SAP Process Control can be used to mitigate access risks for users in SAP Access Control. Subsequently, when an assessment in SAP Process Control finds a control is ineffective, a mechanism is required to delete the respective controls in SAP Access Control so that the data is integrated between both SAP Access Control and SAP Process Control.
Learning Objectives

Reading this article, you will learn:

  • What mitigation controls are and how they are defined in SAP Access Control and SAP Process Control
  • How to automatically expire every mitigated user related with the mitigation control in SAP Access Control if the assessment of controls in SAP Process Control shows they are deficient
Key Concept

A mitigating control is a control used in auditing to discover and prevent mistakes that may lead to fraud in an organization. The control mitigates the probability of a risk. It is a step taken to correct vulnerabilities and protect the system from exploitation. Mitigation controls are required when it is not possible to separate segregation of duties (SoD) from the business process. It is a process to continuously monitor the risks. Mitigation controls can be created in SAP GRC even if SAP Process Control is not activated and only SAP Access Control is available in the landscape.

SAP Access Control and SAP Process Control both share the master data created for processes and subprocesses. You can use a mitigation control created in SAP Process Control to mitigate users in SAP Access Control as well. If a user wants to perform an assessment of a mitigation control in SAP Process Control and the result is that it is deficient, the system should automatically expire every related mitigated user assigned with that mitigation control in SAP Access Control. If the mitigation control assessment is deficient in SAP Process Control, then the risk in SAP Access Control should not remain as mitigated with the same deficient mitigation controls.

New reports created in SAP Access Control automatically read the data of mitigation controls from SAP Process Control and show the details of expired mitigation controls. The user does not have to check the mitigation control data manually in SAP Access Control and SAP Process Control to identify which mitigation controls are valid and which are invalid. From the new SAP Access Control reports, you call the SAP Process Control classes to get this information regarding the mitigation controls. The reports are delivered via the SAP Access Control Support Package.

Every mitigation control should be associated with an organization, business process, and subprocess. An organization, business process, and subprocess can be created using transaction code SPRO in any SAP GRC system. These attributes are shared across SAP Access Control and SAP Process Control.

Neha Garg

Neha Garg, senior developer, SAP Labs India Pvt. Ltd., has nine years of experience in SAP Labs. Neha is currently working with the Installed Base Maintenance Support (IMS) organization, SAP Labs, India, for SAP Access Control 5.3, 10.0, and 10.1. Neha has vast experience and has worked on multiple technologies, including JavaScript, Java, web services, OData services, SAPUI5, HANA, ABAP WebDynpro, Floor Plan Manager with ABAP WD, ABAP OO, SAP ABAP dictionary, and function modules for a broad range of SAP modules and SAP Access Control. Neha has worked in almost all the sub-components of SAP Access Control and has published one patent in the SAP Access Control area.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.