Skip to Content

The motivation to write this document comes with the Community Collaboration for GRC Blogs and Documents project that we have started recently in the GRC space. Leo (S A) has requested a document that elaborates which tools and transactions are used by a GRC consultant. I have extended the request to also name some programs and tables I regularly use to complete my job. The following listing will give you an overview of transactions, tools, programs and tables used by a GRC consultant. Each table is sortable by clicking on headings.

 

 

Transactions

 

Transaction Description Key Area Why is this useful? Further details, links, etc.
NWBC Launch Netweaver Business Client All launch NWBC HTML. You will need to have work centre roles assigned or build you own.
SPRO Customizing All Self explanatory – configuration entry point for both GRC and plug-in systems
GRAC_UPLOAD_MIT_ASGN Upload Mitigation Assignments ARA Upload a huge number of mitigation (user, role, profile) in one shot. You can either append your current mitigations or overwrite. Program GRAC_UPLOAD_MIT_ASSIGNMENTS. Mass change of Mitigation Assignments
GRAC_DWLOAD_MIT_ASGN Download Mitigation Assignments ARA Download a huge number of mitigation (user, role, profile) in one shot. Program GRAC_DOWNLOAD_MIT_ASSIGNMENTS. Mass change of Mitigation Assignments
GRFNMW_CONFIGURE_WD MSMP Workflow Configuration WF MSMP Workflow Configuration – standard view (web dynpro will launch)
GRFNMW_CONFIGURE MSMP Workflow Config Expert WF SAP GUI expert mode to configuration workflow configuration. Do not use this transaction if you not familiar or strong with MSMP configuration as you will risk corrupting your build. This is useful if you need to retransport or transport all of the MSMP in one go as you can select it like an IMG table.
GRFNMW_DBGMONITOR_WD MSMP Instance Runtime Monitor WF Comprehensive view of the workflow execution for MSMP evaluation including Stage/Path calculation, provisioning notes, notifications and agents. This is useful for an Administrator to track issues with an MSMP after a request has been submitted.
SWDD Workflow Builder WF Unlikely you will need to go into this transaction as the Worfklows for SAP are out of the box and MSMP is used. You can identify the MSMP integration from here.
SWIA WF SAP standard workflow. This will allow you to check the current Workflow and Task numbers. If the MSMP Instance Runtime shows the workflow is completed but SWIA is not completed then there is an issue with the workflow configuration. Check Marketplace incase there is a correction.
GRAC_ROLE_MASS_IMPRT Mass Role Import from Backend System BRM
GRAC_SPM_CLEANUP Cleanup EAM Application Data EAM Program to clean up EAM tables.
GRAC_EAM/GRAC_SPM and /GRCPI/GRIA_EAM EAM Logon Pad EAM For centralized firefighting, you use GRAC_EAM to open the EAM Launchpad on the GRC system. For decentralized firefighting, you use /GRCPI/GRIA_EAM to open the EAM Launchpad on the plug-in systems. The launchpad for centralized firefighting displays all the plug-in systems to which you have access. The launchpad for decentralized firefighting does not display any systems because it allows you to access only the current plug-in system.
GRAC_UPLOAD_RULES Upload Access Control Rules ARA This is available in the IMG navigation and allows you to import the rule set. Note, if you have workflow activated for you ruleset it will not trigger workflow.
GRAC_COPY_RULES Copy Access Control Rules ARA Utility for copying SOD rules from one system to another of same type.
GRAC_RULE_DELETE Delete Access Control Rules ARA This is available in the IMG navigation and allows you to delete the rule set. Note, if you have workflow activated for you ruleset it will not trigger workflow.
GRAC_DOWNLOAD_RULES Download Access Control Rules ARA This is available in the IMG navigation and allows you to download the rule set. Recommend you save a selection variant with the file name and paths so you do not have to continually maintain them.
GRAC_GENERATE_RULES Generate Access Control Rules ARA This is available in the IMG navigation and allows you to mass generate the rules. You can also execute this via NWBC, however, this program would allow you to schedule in background via SM36/37
GRAC_RULE_TRANSPORT Transport Access Controls Rules ARA This is available via IMG navigation and allows to mass transport the rule set.
GRAC_EXPORT_RA Export Risk Analysis Data (e.g. when the file is too big for the web) ARA Program to download the results of the risk analysis to a local file.
GRAC_BATCH_RA Risk Analysis in Batch Mode ARA This is available in the IMG navigation and triggers the program for you to schedule batch risk analysis. Ensure your configuration parameters are set
GRAC_GENERATE_RULES WF Build MSMP rules (usually BRF+). Refer to comment below for creating application first.
GRAC_GEN_ERM_BRFRULE WF/BRM Build the BRF+ Rules for BRM role methodology and approval conditions groups. Note, before running to to BRF+ and create a shell application that has been assigned to a transport and activated. Use this application in your definition. If not, it gets created in $TMP
BRFPLUS BRFplus Workbench WF Alternative transactions: BRF+ and FDT_Workbench. You can maintain the BRF+ rules here and transport through to Production.
STZAD Customizing Time Zones BC Discuss with Basis before making any changes to timezone as it can impact EAM log collections, etc.
SLG1 Display Application Logs BC Application log display. It is useful to track error messages. Most GRC authorisations errors will show in the application log
SE61 SAP Documentation (Email templates, etc.) All Document maintenance.
SE63 Translations All This transaction enables you to directly translate individual objects.
SCPR20 Activate BC Sets Basis Activation of BC Sets. Activate BC Sets – Business Configuration Sets (BC-CUS) – SAP Library
PPOM Maintain Organizational Plan Basis Maintain Organizational Plan
SOST/SOSB SAPconncet Send Requests Check if there has been an issue with sending on email notifications or reprocess requests. Transaction SOSB can be restricted to limited functionality. Tcode SOST
SCOT SAPconnect Administration Basis Configuration of SAPConnect. Discuss with your Basis team. Take care in enabling in Non-Production environment so you do not accidentally send emails to users and add confusion. If enabled for Non-Prod, recommend you put dummy email addresses on the user accounts.
ST01/STAUTHTRACE/ST05 System Trace Trace for an application server. ST01 is useful for authorisation checks and include database calls, kernel and RFC. STAUTHTRACE is new version for security tracing with ALV functionality and drill down (heaps easier to intepret than ST01). ST05 comes in handy to trace SQL calls to find the table where information has been stored.
SM12 Enqueue Locks Basis You can access this in display mode only. It can be a quick way to find which tables your data is stored in. Go into the NWBC screen in change mode so it puts a lock on the tables. Open a new session and go to SM12 to find the tables.
STAD Display Statistics for all systems Basis EAM FF logs import STAD information
SCC4 Client Administration Ability to change client setting to enable cross-client changes. Do not make changes to these settings without discussing with Basis. Depending on your landscape strategy you may need to maintain some IMG settings directly in the client (such as integration framework)
SNOTE Note Assistant BC Import and apply SAP Notes. You will need to check with your company’s policy for note application responsible. If you have not applied and OSS note before, it is strongly recommended your talk to your developer or Basis to learn about pre-requisite and post-processing activities. In some cases, a developer key will be necessary.
SE01/SE09 Transport Organizer BC Manage your transports
SE16 / SE16N Data Browser Transaction to easily browse thru data tables.
SM01 Lock Transactions SEC Lock transaction to prevent users (even if authorised) from executing the transaction. Usually security is responsible for this activity.
SM36 Schedule Background Jobs BC GRC Access Controls uses a job scheduler via NWBC. SM36 jobs for connector sync,etc can be set up via SM36
SM37 Overview of Background Jobs BC Allow you to view background jobs. All jobs runtimes will show here, even if scheduled via NWBC.
SA38 ABAP Reporting ABAP Execute SAP ABAP programs.
SE38 ABAP Editor ABAP Program Editor
SE80 Object Navigation ABAP SAP Development workbench, most development functionality is available from this transaction.
SE37 ABAP Function ABAP MSMP SAP standard rules are usually function modules. You can look at the code if you want to better understand what is being evaluated. Also comes in handy for break point if you need to debug.
SE24 ABAP Class ABAP useful if you need to check the code and add a breakpoint to a method
OOCU Task Customizing
BD54 Logical Systems Basis RFC connections have to be defined as a logical system (usually same name) to then reference in the integration framework configuration
SM59 RFC Destinations Basis RFC Configuration
SM66/SM50 Workprocess Basis View the number of background work process available to define as part of the integration framework for background job processing
SUIM SEC User Information Reporting system
S_BCE_68001426 Transactions for User SEC Report shows a list of all transactions assigned to a user. This is a very helpful report to identify critical transactions as user has access to.
S_BCE_68001418 Roles by Role Name SEC Report to find roles by complex selection criterias. This report can be used to find roles by description, etc.
S_BCE_68001419 Roles by User Assignment SEC Report shows a list of all roles assigned to a user. This is very helpful to have an overview of all authorized roles a user have.
S_BCE_68001420 Roles by Transaction Assignment SEC Reports shows a list of all roles that includes a specific transaction. This is very helpful to easily find possible roles to assign a transaction.
SICF HTTP Services BC Discuss with Basis and Security before activating these as it poses a security risk. If you receive a 403 Forbidden error in NWBC it means a service needs to be activated for the webdynpro. You can also test the services here. For PSS/End User Login screens, the SICF services need to be configured with the Service Account Username and Password stored
GRAC_REP_OBJ_SYNC Object Rep Sync All User + Role + Profile Synchronization Job
GRAC_USER_SYNC User Sync All User Synchronization Job
GRAC_ROLE_SYNC Role Sync All Role Synchronization Job
GRAC_ROLE_USAGE_SYNC Role Usage Sync All Role Usage Synchronization Job
GRAC_ACT_USAGE_SYNC Action Usage Sync EAM/ARA Action Usage Synchronization Job
GRAC_PROFILE_SYNC Profile Sync All Profile Synchronization Job
GRAC_AUTH_SYNC Auth Sync All Authorization data Synchronization Job
GRAC_SPM_SYNC EAM Sync EAM Emergency Access Management Master Data Synchronization Job
GRAC_SPM_WF_SYNC EAM Workflow Synchronization EAM Emergency Access Managmement Workflow Synchronization Job
GRAC_SPM_LOG_SYNC EAM Log Sync EAM Emergency Access Management Log Synchronization Job
GRFN_STR_DISPLAY / GRFN_STR_CHANGE Org Structure Expert Change All

These transactions show all the relationships between objects in the structure considering the timeframe of each object and the timeframe of the relationship.

 

Both are considered super transactions which are really sensitive. They are exclusive GRC transactions to check Objects Hierarchy. The point of GRFN_STR_CHANGE is that within this transaction you can change master data that you could not using UI. It means that the structure change transaction is not recommended as you can cause severe data inconsistency in the system if you use it without knowing it.

PFCG Role Maintenance Basis Role maintenance to create and edit roles. 5 Role Maintenance in PFCG – SAP NetWeaver Business Client – SAP Library
SU01 User Maintenance Basis User maintenance
SE16 Data Browser Basis Data browser to view/add table data
SM30/SM31/SM34 View Maintenance Basis SE16 and SM30 essentially give direct access to tables information. SM30 is restricted in a way that you cannot use the SM30 interface to view all the tables. Only tables with a maintaince dialog defined can be accessed through SM30. But there is no restriction on the access to tables in SE16 as long as u have access to the authorization group pertaining to the table you will be able to access the information through SE16.
GRFNMW_ADMIN MSMP Power User / Debug WF
GRFNMW_CN_VERA MSMP Process Active Version Maint. WF
GRFNMW_DEBUG MSMP Process Debug Settings WF
GRFNMW_DEBUG_MSG MSMP Process Debug Messages Settings WF
GRFNMW_DEV_CONFIG MSMP Development Configuration WF
GRFNMW_DEV_RULES MSMP Rule Generation / Testing WF
GRFNMW_GEN_VERSION Generate Versions for MSMP Config WF Generate version is useful to run after you import a transport (post processing activity) instead of going into MSMP screen to activate.
GRFNMW_MONITOR MSMP Workflow Monitoring WF Monitoring of the MSMP Workflow statistics.
GRAC_ENDUSRFORM_SICF End user form SICF service
GRAC_FFOBJ_DSC_MAINT Maintain EAM FF Object Description
GRAC_FFOBJ_DSC_MNT1 Firefighter Object Maintenance
GRAC_IDM_SCHEMA_SYNC IDM Schema Update
GRAC_DATA_MIGRATION AC10 Data Migration Program to migrate data from an earlier version.
GRAC_DELETE_REPORT_S Delete Report Spool data
GRACRABATCH_MONITOR Batch Risk Analysis Monitor This program is used to monitor the execution status of a running batch risk analysis.
GRAC_ALERT_GENERATE Alert Generation Program that generates alerts. SAP Access Control 10.0 Alerting
GRAC_BATCH_RA Risk Analysis In Batch Mode Offline analysis is not real-time data but is dependent on the date of the last Batch Risk Analysis. The Batch Risk Analysis is run as background job in GRC by using transaction GRAC_BATCH_RA (program GRAC_BATCH_RISK_ANALYSIS). Online vs. Offline Risk Analysis
WD_TRACE_TOOL WebDynpro Tracing Basis The Web Dynpro trace tool supports the analysis of problems and errors arising in Web Dynpro ABAP, by collecting and listing the data related to the Web Dynpro ABAP application. Web Dynpro Trace Tool – Web Dynpro for ABAP – SAP Library

 

Programs

 

Program Description Why is this useful? Further details, links, etc.
PRGN_COMPRESS_TIMES Program to merge the assignments of identical users and roles, provided the validity periods overlap with one another or immediately follow each other. Also you can delete expired assignments.

Very helpful to easily delete expired assignments or to clean up the assignments after a system copy.

 

Please note that this program should not be run if you have ARQ in place for business roles provisioning.

Before Initial Load …
TZCUSTHELP Troubleshooting Support for Time Zone Settings Timezone changes best practices – Basis Corner – SCN Wiki
TZONECHECK Check Time Zone Data for Consistency Timezone changes best practices – Basis Corner – SCN Wiki
RSLDAPSYNC_USER Synchronization of SAP User Administration with an LDAP-Compatible Directory Service Synchronization of SAP User Administration with an LDAP-Compatib – Identity Management – SAP Library
GRFNMW_BATCH_EMAIL_REMINDER Job User to send Email reminders to approvers based on number of days and frequency
GRFNMW_BATCH_STALE_REQUEST This program was useful for deleting non-actionable old requests from the system as housekeeping activity
RSCONN01 This job used for sending email (and other types of communication items)
/GRCPI/GRIA_DNLDROLES Download roles data for mass import
GRAC_CHECK_BROLE_ASSIGNMENT The program checks the consistency of business roles assigned to user. The report fetches all the business roles assigned to user and then gets list of single roles that are part of those business roles.  Then repository is checked to see that all the single roles which are part of business roles are assigned to user with correct validity and relation. Inconsistencies can be identified easily with a single report. http://service.sap.com/sap/support/notes/2036088
RSDBTIME Diagnostic Tool for Detecting Time Inconsistencie Diagnosting Time and Timezone Inconsistencies in SAP-R/3-Systems. Different time sources must supply consistent times especially for EAM Logging functionality to work properly.

 

 

Tables

 

Table Description Why is this useful? Further details, links, etc.
GRACREVREJUSER UAR Rejected Users
GRACREJREASON UAR Rejected Reasons
GRACREJREASONT UAR Rejected Reasons Texts
USR02 User Logon Data
GRACOWNER Master Table for Central Owner Administration
GRAC_(S|T)_REQUEST_RULE_HEADER Contains Request Header information This structure/table is frequently used for BRF+ functions BRF+ Agent Rule based on Role Functional Area field using TABLE OPERATION and LOOP
GRAC_(S|T)_REQUEST_RULE_LINE Contains Access Request Line Item informations This structure/table is frequently used for BRF+ functions BRF+ Agent Rule based on Role Functional Area field using TABLE OPERATION and LOOP
GRFN_MW_(S|T)_AGENT_ID        Result – Agent Rule This structure/table is frequently used for BRF+ functions BRF+ Agent Rule based on Location field using LOOP

 

Other tools

 

Tool Description Why is this useful? Further details, links, etc.

 

 

I am really looking forward to your input to extend the listing.

 

Best regards,

Ale, Col & Madhu

To report this post you need to login first.

34 Comments

You must be Logged on to comment or reply to a post.

  1. Baithi Srinivas

    Hello Alessandro,

    Program Name:GRAC_DELETE_REPORT_SPOOL

    2144736 – Delete or Purge the Risk Analysis background jobs spool data.


    Regards

    Baithi

    (0) 
  2. Kirtika Khator

    Thanks, Really very useful.

    Can anyone please add more programs, transactions and codes related to Process Controls and Risk Management?

    Thanks Again!!

    (0) 
      1. Fernando Bassuino

        Hi Josselin, Yes, but it depends on the scenario you are using. For example, a configurable business rule with SCU3 handler will store the data captured in DBTABLOG. However, information is taken directly from there and the results are not stored in GRC. Regards, Fernando

        (0) 
    1. Colleen Hebbert

      Hi BK

      It’s something we all try to do but if you know any transactions that are missing then please add a comment and one of us will update the list. We are trying to capture more than just transaction (otherwise you can search SAP yourself) so please provide a high level usage as well 🙂

      Regards

      Colleen

      (0) 
  3. S P Krishna Chaithanya

    Hi Alessandro,


    Splendid work!!!!!!


    very much useful for  people like us who are new to GRC.


    Could you please let me know if there is any TABLE/REPORT/PROGRAM that will give the linking of


    Business Roles–> Composite roles


    Business Roles –> Single Roles


    and Respective Tcodes in Composite or Single Roles and these roles assigned to users in SAP System?


    any help is much appreciated 🙂 .




    (0) 
    1. Madhu Babu Sai #MJ

      Hi Krishna,

      Please use table GRACROLERELAT to get the details you need.

      You need to get ROLE ID from GRACROLE table and pass it to GRACROLERELAT table.

      ~ Madhu

      (0) 
  4. Artem Ivashkin

    Hi colleagues,

    I would propose you to add the following structures and tables

    Table Description Why is this useful? Further details, links, etc.
    GRAC_(S|T)_REQUEST_RULE_HEADER

    Contains Request Header information

    This structure/table is frequently used for BRF+ functions BRF+ Agent Rule based on Role Functional Area field using TABLE OPERATION and LOOP
    GRAC_(S|T)_REQUEST_RULE_LINE Contains Access Request Line Item informations This structure/table is frequently used for BRF+ functions BRF+ Agent Rule based on Role Functional Area field using TABLE OPERATION and LOOP
    GRFN_MW_(S|T)_AGENT_ID        
    Result – Agent Rule This structure/table is frequently used for BRF+ functions BRF+ Agent Rule based on Location field using LOOP

    I think they are the most popular in BRF function creation.

    Hope this helps begginers to understand the purpose of this structures/tables in BRF functions.

    *Madhu, I’ve used your posts as examples

    Regards,

    Artem

    (0) 
  5. Caio Jordão Calisto

    Hello everybody:

    There is a transaction in GRC 10.1 plugin that downloads the roles in the BRM upload file fomat. After the download, some minor tweaks are necessary, but I’ve found it very useful. The transaction is /GRCPI/AC_ROLE_DNLD and should be executed at the plugin systems. Can you add this at the list, please?

    (0) 
  6. Cristiano Gonçalves

    Hi Alessandro,

    I have some suggestions of useful table to add in your list.

    Table

    Description

    Why is this useful?

    Further details, links, etc.

    GRACREQ

    Request Header

    This structure/table is frequently used for BRF+ functions

    GRACREQUSER

    User Associated with Request

    This structure/table is frequently used for BRF+ functions

    (0) 
  7. Chris McMillon

    Does anyone have anymore information on GRAC_CHECK_BROLE_ASSIGNMENT? We are looking for reliable information on business role assignments. This report appears to be what we are looking for, but does not return a reliable set of information. I have users who I KNOW have business roles assigned in GRC but do not show up in this report.

     

    (0) 

Leave a Reply