Alessandor,
Thank you very much for taking so much pain and sharing these details and thoughts.
If an Access Request has multiple risks and one among them is not having any mitigation control assigned, as you said, it can be removed from the screen using "REMOVE" button and rest of the risks can be mitigated.
However, in my configuration, approver CANNOT approve a request until he mitigates all the risks. Therefore, even though he removes the risk which does not have any mitigation control assigned, he can not approve the request!
I dont see the use of remove button in my scenario. What do you think? CAn you please share your thoughts based upon my scenario?
As far "ADD" button, I remember that he can add user id for mitigation. But if an Access Request is raised for a specific user, then why the approver should add other user ids?
I still have to check this "ADD" button function. Above is based upon my memory ;-)
Regards,
Faisal
