In GRC10 – ARM Access Request approver have the choice to do Risk analysis at “Action Level”, “Permission Level”, “Critical Action”, “Critical Permission” and “Critical Role/Profile”. But In 5.3, Approver didn't have choice to decide while using from CUP.
When approver open access request in AC10 under Risk Violation tab Permission Level is always selected .Selection is fine as this is configured this way (Parameter in SPRO 1023 -Default Report Type for Risk Analysis). But the approver also has an option to deselect "Permission Level".
If you want to ensure that approver always keep "Permission Level" as an option, in other words option should be grayed out with permanent tick mark. This is to make sure that CUP enforce "Permission Level" check, otherwise if approver deselect then they can always skip the risk analysis by clicking different report types. Also possibility at times all the approver doesn't understand the meaning of each option. Both accidental / intentional ways skipping Risk Analysis is possible.
As you can see Permission level is always selected but editable. Approver can deselect and submit the request with no violation. This way unmitigated risks can be submitted.
We have achieved this by deploying SAP NOTE 1796838 - UAM Risk analysis at permission level set to non editable and following below steps.
1. Go to transaction se80.
Select Package as ‘GRAC_ACCESS_REQUEST’.
Click on Web Dynpro -> Web Dynpro Application
2 .Drill down to application ‘GRAC_OIF_REQUEST_APPROVAL’. Right click on it and click Test.
3. Now, the following screen will appear.
Go to the URL of the above screen and add the following string to it.
Go to Transaction SE16 and Enter table name as GRACREQ, enter any request number in REQ_ID field.
Click execute button and copy the value of field REQ_ID
Below is String to add in URL-
&SAP-CONFIG-MODE=X&OBJECT_ID=ACCREQ/<REQ_ID checked from above step>
Below is example for string to add in above screen dump URL..
Observe that the dump will now get removed and an access request will be opened.
4. Go to the Risk Violation Tab and right click on the Type check boxes and choose ‘Settings for Current Configuration’
5. Now, the following pop up window will appear.
In this, you can go to each of the type of result options and click on ‘read only access’ check box.
6 For example, If you click on Permission Level and set Read-Only Access as ‘Yes’, permission level will appear as non editable on approval screens for all requests.
Click on ‘Save and Close’.
Please see that the Permission level check box is now disabled.
Hope this will help you if you meet such a kind of requirement. and prevent from submit unmitigated Risk.
GRC - IDM Consultant.