I have tried to investigate this also, but it seems the specific risk analysis screen is not modifiable via the "EUP" method.
I presume this would involve custom coding and also adding custom SPRO Configuration parameters to allow the admin to "Enable/Display only" certain selection fields for the risk report runs.
The only thing you can do by default is select the "Default" Risk Analysis Report type, of which you can only select one exclusive value. Ideally, I would like to have Permission Level and Critical Actions running as default in a single analysis. Having said that, this doesn't address your requirements of disabling selections.
Sorry I can't be of much help, but would be interested in reading what other members of the Forum think about your idea.
Thank you for your prompt answer. This is a real issue because the end users could easily override the control (preventive analysis) by checking critical permissions, knowing that we don't use that functionality.
As for the default values, you can select only one value.
The only thing I can come up with is an automatic analysis on request submission which would route the request to a detour for resolution if any violations where detected. However...I believe it only do the analysis type set as default... and only one value can be selected.
Your understanding on how the tool works is correct.
But to be honest, the only way to remove risks within a Access Request is by either removing the access from the request (which isnt a bad thing), or by mitigating the risk. There is an additional workflow that can be enabled, where the Mitigating Control Owner is required to approve the assignment of any control they own to the user within the request. Is this something worth considering for implementation?
My solution at a current project is basically exactly what you have set up, minus the Mitigating Control Assignment approval sub path. We have made it mandatory for the risk analysis to be performed by the Risk Owner if the request gets detoured to them (SOD Violation detour path) and we have instructed them to select Permission Risk and Critical Action and Perm report types. In the ideal world, if all 3 were enabled automatically and also "locked" from deselecting (as you wish to have), that would be the ultimate solution.
Edited by: Kaushal Vastani on Mar 8, 2012 1:08 PM