Hi Rupesh,
Access Controls is used as a documental tool for Mitigating Controls, rather than an implementing tool, i.e. you apply the control against the role/user, but the actual application of the control is performed outside of Access Control. This may be realized by running a custom SAP report to monitor the usage of the risky functions within the ECC system etc.
Action is for the t-code of the SAP Report. A brief explanation below will help in understanding
If you have a mitigation control that Mr. Z will run X report using Y t-code on a frequent basis of monthly or quarterly and reviews the report.
Then you need to give that Report name- X, in Action - Y T-code and frequency as Monthly/Quarterly. This helps for the system to check if the t-code has been executed or not in that frequency by the Monitor and generates an Alert [based on alert generation configuration]. If the monitor doesn't execute the action in backend in the set frequency, we will find an alert in Alert monitor- control monitoring, but if the monitor executes the action we will NOT get alert.
The role of Monitor is to see whether everything that was risky from the access being mitigated is fine or not. That is, he/she would see to it that the user who has been given extra excess or conflicting access has not mis-used it. Every Mitigation control, for this purpose has a Monitor attached to it who does this job
Action - This is some tcode a monitor has to execute in backend to see that reports.
- E.g. if someone is doing check payment entry(risk), and mitigation is done for a user/role, there must be a tcode where we can check what payments are made( sorry I am not well versed in FI Tcodes) , this tcode will be put in action tab and monitor will have to check it via that particular tcode.
Frequency is simply what the period you want to set within which a monitor must perform this activity - say one week or one month.
If a monitor doesn’t execute that action/tcode within that time, an alert will be generated and mail will be triggered to mitigation approver (indicating that supposed task is not being performed).
For creating Mitigation controls in GRC 10.0, please check below blog post.
Creation of Mitigation Controls in GRC 10.0
Regards,
Madhu.