Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Changing Mitigating Control ID

Go to solution
Former Member

‎01-28-2015 7:21 PM

0 Kudos

Hi,

I've found that the mitigating control IDs can be modified and this updates the local control as well. I've also found that this is due to the SAP Note

"1675082 - Mitigating Control ID Can not be changed after Creation".

I would like to know why this SAP Note was created and the effect on the GRC system if the mitigating control ID is changed when the system allows it. I would like to know if there are any adverse effects in doing this.

Thank you.

Best Regards,

Raphael

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎02-02-2015 6:05 PM

0 Kudos

Hi,

I've opened an OSS note to explore this further and SAP has indicated that they've found no issue with changing the mitigating control ID through the SAP note.

I'll review this further, but I believe this is looking good.

Thank you.

Best Regards,

Raphael.

5 REPLIES 5

Go to solution
alessandr0
Active Contributor

‎01-29-2015 4:47 PM

0 Kudos

Hi Raphael,

as it is mentiioned in the note it is not possible to change the control ID when risks are already mitigated. I am on a higher service pack level and it is not anymore possible to change the control ID after the control is created eventhough there is no active mitigation. Also I don't see a valuable reason in changing the control ID itself. The ID must be unique and is the key for all references (like mitigations).

Based on a specific business requirement it might make sense to change control ID after it is created.

What exactly are you looking for? Are you thinking of implementing this note? I suggest to rethink your requirement and based on that take the decision of implementing.

Let us know.

Regards,

Alessandro

Go to solution
Former Member
In response to alessandr0

‎01-29-2015 6:17 PM

0 Kudos

Hi Alessandro,

Thank you for the reply. May I know what SP pack you are currently in?

Thank you.

Best Regards,

Raphael

Go to solution
alessandr0
Active Contributor
In response to alessandr0

‎01-29-2015 6:25 PM

0 Kudos

Hi Raphael,

currently on AC 10.1 SP6 and AC 11.0. I am quite sure it was also not possible to change in AC 10.0 SP13. Maybe can help out as he is on SP13.

Regards,

Alessandro

Go to solution
Former Member
In response to alessandr0

‎01-29-2015 6:51 PM

0 Kudos

Hi Alessandro,

I've found that the mitigating control ID is modifiable in V1000 SP10 and above.

There were some mitigating controls that were used for testing and were no longer in use. Instead of just leaving them, I'm reusing them. These controls haven't been mitigated yet so the system is allowing changes to them. I've found that the system warns if it is mitigating an AC risk.

I've been testing changing the mitigating control ID in other systems and haven't found any impact as of yet. But I'm trying to determine if there is anything that I may have overlooked.

Thank you for the advice and I'm looking into it. Also thank you for VCard of Madhu.

Additional details:

  • No AC reports and monitors have been added
  • No mitigated users have been assigned to the mitigating control.


Best Regards,

Raphael

Message was edited by: Raphael Ramos

Go to solution
Former Member

‎02-02-2015 6:05 PM

0 Kudos

Hi,

I've opened an OSS note to explore this further and SAP has indicated that they've found no issue with changing the mitigating control ID through the SAP note.

I'll review this further, but I believe this is looking good.

Thank you.

Best Regards,

Raphael.