Register Login

SAP GRC Mitigation Control

Updated May 18, 2018

What is Mitigation?

The Mitigation allows you to mitigate certain risk violations that you want available to specific users or roles. This is done by creating and assigning a Mitigation Control.

Mitigation Control performs the following functions:

  • Identifies the Segregation of Duties (SoD) as a known Risk.
  • Establishes a period of time during which the Risk may exist (is monitored).
  • Associates a list of Monitors with the Control. Only Monitors associated with a Control definition may be selected when mitigating a Risk.

Mitigation Controls can be assigned to Users, Roles, Profiles, or HR Objects to mitigate a Risk.


  • 11 Aug 2010 4:24 pm David Helpful Answer
    Mitigation is a temporary 'after the event' control which the business process owner and (usually) internal audit have agreed is required as the SoD or critical permissions cannot practicably be cleared by changing accesses.
    Single roles should never need to be mitigated, composite roles may need to be if providing a user with all of their SAP transactions/permissions, the user and the composite will have the same access and, therefore, the same risks.
    The mitigation should never be considered as a permanent replacement to remediation which is why there is a time limit for each one.
    Before going to mitigation, review the supplied ruleset to ensure the objects and values are fully understood and correct, e.g. having FBL5N without FB02 access doesn't constitute a real risk with other transactions as it is only a view access but can be flagged as a major problem. Think about the issues rather than relying on a SAP delivered ruleset...
  • 17 Feb 2010 7:44 am Guest
    1:lowering down the risk.
    2:putting check against role,user etc.

  • 25 Jun 2010 7:12 am Guest
    Whenever a User/Role has a SOD voilation/Risk and it is not possible to remove any authorization form the user in such case Mitigation come up. Its a process where you accept the risk but lower its severity by assiginig monitoring on the User/Role having risk.

  • 12 Sep 2010 12:47 pm Guest
    can anyone tell me about the mitigation of roles with clarity?
  • 12 Sep 2010 2:00 pm Guest

    Simply put, only composite roles which are assigned to users to provide their job role should need mitigation as they would represent the full access of the user/user group. All singles or composites which provide only part of the user's access need to be fully remediated.
  • 28 Sep 2010 10:02 am Guest
    Having a problem setting up background jobs in order to meet the mitigation requirements. I have tried setting up the job in the users name, using both the program and transaction name as the mitigation report. The issue is that GRC needs to be able to confirm that the mitgation report is run. Does the report have to be run manually by the user or can a automated job be set up and reconised by GRC?