Hi Stacey,
This is a right behavior. When you have 2 roles (Test1 & Test2) with same tcodes and mitigate only one role (say Test1) and try to run the Risk analysis at ROLE level, you will see the actual difference in RESULTS for both the roles.
However, when it comes at USER level (considering you have including Role level mitigation in User Analysis), it is always a Risk (irrespective of the role from where it comes) for a USER. Here Role level mitigation will now turn towards USER level with Risk ID. User is mitigated now with particular risk and that is irrespective how many roles has that same risk. So system will show all the roles as mitigated, because user is mitigated for that risk.
This does not sound good, if we mitigate one user with one role for one risk and do the same activitiy for same risk for different roles.
Thanks & Regards
Neeraj