Helpful transactions, tools, programs, tables, etc. for a SAP GRC Consultant
The motivation to write this document comes with the Community Collaboration for GRC Blogs and Documents project that we have started recently in the GRC space. Leo (S A) has requested a document that elaborates which tools and transactions are used by a GRC consultant. I have extended the request to also name some programs and tables I regularly use to complete my job. The following listing will give you an overview of transactions, tools, programs and tables used by a GRC consultant. Each table is sortable by clicking on headings.
|Transaction||Description||Key Area||Why is this useful?||Further details, links, etc.|
|NWBC||Launch Netweaver Business Client||All||launch NWBC HTML. You will need to have work centre roles assigned or build you own.|
|SPRO||Customizing||All||Self explanatory – configuration entry point for both GRC and plug-in systems|
|GRAC_UPLOAD_MIT_ASGN||Upload Mitigation Assignments||ARA||Upload a huge number of mitigation (user, role, profile) in one shot. You can either append your current mitigations or overwrite. Program GRAC_UPLOAD_MIT_ASSIGNMENTS.||Mass change of Mitigation Assignments|
|GRAC_DWLOAD_MIT_ASGN||Download Mitigation Assignments||ARA||Download a huge number of mitigation (user, role, profile) in one shot. Program GRAC_DOWNLOAD_MIT_ASSIGNMENTS.||Mass change of Mitigation Assignments|
|GRFNMW_CONFIGURE_WD||MSMP Workflow Configuration||WF||MSMP Workflow Configuration – standard view (web dynpro will launch)|
|GRFNMW_CONFIGURE||MSMP Workflow Config Expert||WF||SAP GUI expert mode to configuration workflow configuration. Do not use this transaction if you not familiar or strong with MSMP configuration as you will risk corrupting your build. This is useful if you need to retransport or transport all of the MSMP in one go as you can select it like an IMG table.|
|GRFNMW_DBGMONITOR_WD||MSMP Instance Runtime Monitor||WF||Comprehensive view of the workflow execution for MSMP evaluation including Stage/Path calculation, provisioning notes, notifications and agents. This is useful for an Administrator to track issues with an MSMP after a request has been submitted.|
|SWDD||Workflow Builder||WF||Unlikely you will need to go into this transaction as the Worfklows for SAP are out of the box and MSMP is used. You can identify the MSMP integration from here.|
|SWIA||WF||SAP standard workflow. This will allow you to check the current Workflow and Task numbers. If the MSMP Instance Runtime shows the workflow is completed but SWIA is not completed then there is an issue with the workflow configuration. Check Marketplace incase there is a correction.|
|GRAC_ROLE_MASS_IMPRT||Mass Role Import from Backend System||BRM|
|GRAC_SPM_CLEANUP||Cleanup EAM Application Data||EAM||Program to clean up EAM tables.|
|GRAC_EAM/GRAC_SPM and /GRCPI/GRIA_EAM||EAM Logon Pad||EAM||For centralized firefighting, you use GRAC_EAM to open the EAM Launchpad on the GRC system. For decentralized firefighting, you use /GRCPI/GRIA_EAM to open the EAM Launchpad on the plug-in systems. The launchpad for centralized firefighting displays all the plug-in systems to which you have access. The launchpad for decentralized firefighting does not display any systems because it allows you to access only the current plug-in system.|
|GRAC_UPLOAD_RULES||Upload Access Control Rules||ARA||This is available in the IMG navigation and allows you to import the rule set. Note, if you have workflow activated for you ruleset it will not trigger workflow.|
|GRAC_COPY_RULES||Copy Access Control Rules||ARA||Utility for copying SOD rules from one system to another of same type.|
|GRAC_RULE_DELETE||Delete Access Control Rules||ARA||This is available in the IMG navigation and allows you to delete the rule set. Note, if you have workflow activated for you ruleset it will not trigger workflow.|
|GRAC_DOWNLOAD_RULES||Download Access Control Rules||ARA||This is available in the IMG navigation and allows you to download the rule set. Recommend you save a selection variant with the file name and paths so you do not have to continually maintain them.|
|GRAC_GENERATE_RULES||Generate Access Control Rules||ARA||This is available in the IMG navigation and allows you to mass generate the rules. You can also execute this via NWBC, however, this program would allow you to schedule in background via SM36/37|
|GRAC_RULE_TRANSPORT||Transport Access Controls Rules||ARA||This is available via IMG navigation and allows to mass transport the rule set.|
|GRAC_EXPORT_RA||Export Risk Analysis Data (e.g. when the file is too big for the web)||ARA||Program to download the results of the risk analysis to a local file.|
|GRAC_BATCH_RA||Risk Analysis in Batch Mode||ARA||This is available in the IMG navigation and triggers the program for you to schedule batch risk analysis. Ensure your configuration parameters are set|
|GRAC_GENERATE_RULES||WF||Build MSMP rules (usually BRF+). Refer to comment below for creating application first.|
|GRAC_GEN_ERM_BRFRULE||WF/BRM||Build the BRF+ Rules for BRM role methodology and approval conditions groups. Note, before running to to BRF+ and create a shell application that has been assigned to a transport and activated. Use this application in your definition. If not, it gets created in $TMP|
|BRFPLUS||BRFplus Workbench||WF||Alternative transactions: BRF+ and FDT_Workbench. You can maintain the BRF+ rules here and transport through to Production.|
|STZAD||Customizing Time Zones||BC||Discuss with Basis before making any changes to timezone as it can impact EAM log collections, etc.|
|SLG1||Display Application Logs||BC||Application log display. It is useful to track error messages. Most GRC authorisations errors will show in the application log|
|SE61||SAP Documentation (Email templates, etc.)||All||Document maintenance.|
|SE63||Translations||All||This transaction enables you to directly translate individual objects.|
|SCPR20||Activate BC Sets||Basis||Activation of BC Sets.||Activate BC Sets – Business Configuration Sets (BC-CUS) – SAP Library|
|PPOM||Maintain Organizational Plan||Basis||Maintain Organizational Plan|
|SOST/SOSB||SAPconncet Send Requests||Check if there has been an issue with sending on email notifications or reprocess requests. Transaction SOSB can be restricted to limited functionality.||Tcode SOST|
|SCOT||SAPconnect Administration||Basis||Configuration of SAPConnect. Discuss with your Basis team. Take care in enabling in Non-Production environment so you do not accidentally send emails to users and add confusion. If enabled for Non-Prod, recommend you put dummy email addresses on the user accounts.|
|ST01/STAUTHTRACE/ST05||System Trace||Trace for an application server. ST01 is useful for authorisation checks and include database calls, kernel and RFC. STAUTHTRACE is new version for security tracing with ALV functionality and drill down (heaps easier to intepret than ST01). ST05 comes in handy to trace SQL calls to find the table where information has been stored.|
|SM12||Enqueue Locks||Basis||You can access this in display mode only. It can be a quick way to find which tables your data is stored in. Go into the NWBC screen in change mode so it puts a lock on the tables. Open a new session and go to SM12 to find the tables.|
|STAD||Display Statistics for all systems||Basis||EAM FF logs import STAD information|
|SCC4||Client Administration||Ability to change client setting to enable cross-client changes. Do not make changes to these settings without discussing with Basis. Depending on your landscape strategy you may need to maintain some IMG settings directly in the client (such as integration framework)|
|SNOTE||Note Assistant||BC||Import and apply SAP Notes. You will need to check with your company’s policy for note application responsible. If you have not applied and OSS note before, it is strongly recommended your talk to your developer or Basis to learn about pre-requisite and post-processing activities. In some cases, a developer key will be necessary.|
|SE01/SE09||Transport Organizer||BC||Manage your transports|
|SE16 / SE16N||Data Browser||Transaction to easily browse thru data tables.|
|SM01||Lock Transactions||SEC||Lock transaction to prevent users (even if authorised) from executing the transaction. Usually security is responsible for this activity.|
|SM36||Schedule Background Jobs||BC||GRC Access Controls uses a job scheduler via NWBC. SM36 jobs for connector sync,etc can be set up via SM36|
|SM37||Overview of Background Jobs||BC||Allow you to view background jobs. All jobs runtimes will show here, even if scheduled via NWBC.|
|SA38||ABAP Reporting||ABAP||Execute SAP ABAP programs.|
|SE38||ABAP Editor||ABAP||Program Editor|
|SE80||Object Navigation||ABAP||SAP Development workbench, most development functionality is available from this transaction.|
|SE37||ABAP Function||ABAP||MSMP SAP standard rules are usually function modules. You can look at the code if you want to better understand what is being evaluated. Also comes in handy for break point if you need to debug.|
|SE24||ABAP Class||ABAP||useful if you need to check the code and add a breakpoint to a method|
|BD54||Logical Systems||Basis||RFC connections have to be defined as a logical system (usually same name) to then reference in the integration framework configuration|
|SM59||RFC Destinations||Basis||RFC Configuration|
|SM66/SM50||Workprocess||Basis||View the number of background work process available to define as part of the integration framework for background job processing|
|SUIM||SEC||User Information Reporting system|
|S_BCE_68001426||Transactions for User||SEC||Report shows a list of all transactions assigned to a user. This is a very helpful report to identify critical transactions as user has access to.|
|S_BCE_68001418||Roles by Role Name||SEC||Report to find roles by complex selection criterias. This report can be used to find roles by description, etc.|
|S_BCE_68001419||Roles by User Assignment||SEC||Report shows a list of all roles assigned to a user. This is very helpful to have an overview of all authorized roles a user have.|
|S_BCE_68001420||Roles by Transaction Assignment||SEC||Reports shows a list of all roles that includes a specific transaction. This is very helpful to easily find possible roles to assign a transaction.|
|SICF||HTTP Services||BC||Discuss with Basis and Security before activating these as it poses a security risk. If you receive a 403 Forbidden error in NWBC it means a service needs to be activated for the webdynpro. You can also test the services here. For PSS/End User Login screens, the SICF services need to be configured with the Service Account Username and Password stored|
|GRAC_REP_OBJ_SYNC||Object Rep Sync||All||User + Role + Profile Synchronization Job|
|GRAC_USER_SYNC||User Sync||All||User Synchronization Job|
|GRAC_ROLE_SYNC||Role Sync||All||Role Synchronization Job|
|GRAC_ROLE_USAGE_SYNC||Role Usage Sync||All||Role Usage Synchronization Job|
|GRAC_ACT_USAGE_SYNC||Action Usage Sync||EAM/ARA||Action Usage Synchronization Job|
|GRAC_PROFILE_SYNC||Profile Sync||All||Profile Synchronization Job|
|GRAC_AUTH_SYNC||Auth Sync||All||Authorization data Synchronization Job|
|GRAC_SPM_SYNC||EAM Sync||EAM||Emergency Access Management Master Data Synchronization Job|
|GRAC_SPM_WF_SYNC||EAM Workflow Synchronization||EAM||Emergency Access Managmement Workflow Synchronization Job|
|GRAC_SPM_LOG_SYNC||EAM Log Sync||EAM||Emergency Access Management Log Synchronization Job|
|GRFN_STR_DISPLAY / GRFN_STR_CHANGE||Org Structure Expert Change||All||
These transactions show all the relationships between objects in the structure considering the timeframe of each object and the timeframe of the relationship.
Both are considered super transactions which are really sensitive. They are exclusive GRC transactions to check Objects Hierarchy. The point of GRFN_STR_CHANGE is that within this transaction you can change master data that you could not using UI. It means that the structure change transaction is not recommended as you can cause severe data inconsistency in the system if you use it without knowing it.
|PFCG||Role Maintenance||Basis||Role maintenance to create and edit roles.||5 Role Maintenance in PFCG – SAP NetWeaver Business Client – SAP Library|
|SU01||User Maintenance||Basis||User maintenance|
|SE16||Data Browser||Basis||Data browser to view/add table data|
|SM30/SM31/SM34||View Maintenance||Basis||SE16 and SM30 essentially give direct access to tables information. SM30 is restricted in a way that you cannot use the SM30 interface to view all the tables. Only tables with a maintaince dialog defined can be accessed through SM30. But there is no restriction on the access to tables in SE16 as long as u have access to the authorization group pertaining to the table you will be able to access the information through SE16.|
|GRFNMW_ADMIN||MSMP Power User / Debug||WF|
|GRFNMW_CN_VERA||MSMP Process Active Version Maint.||WF|
|GRFNMW_DEBUG||MSMP Process Debug Settings||WF|
|GRFNMW_DEBUG_MSG||MSMP Process Debug Messages Settings||WF|
|GRFNMW_DEV_CONFIG||MSMP Development Configuration||WF|
|GRFNMW_DEV_RULES||MSMP Rule Generation / Testing||WF|
|GRFNMW_GEN_VERSION||Generate Versions for MSMP Config||WF||Generate version is useful to run after you import a transport (post processing activity) instead of going into MSMP screen to activate.|
|GRFNMW_MONITOR||MSMP Workflow Monitoring||WF||Monitoring of the MSMP Workflow statistics.|
|GRAC_ENDUSRFORM_SICF||End user form SICF service|
|GRAC_FFOBJ_DSC_MAINT||Maintain EAM FF Object Description|
|GRAC_FFOBJ_DSC_MNT1||Firefighter Object Maintenance|
|GRAC_IDM_SCHEMA_SYNC||IDM Schema Update|
|GRAC_DATA_MIGRATION||AC10 Data Migration||Program to migrate data from an earlier version.|
|GRAC_DELETE_REPORT_S||Delete Report Spool data|
|GRACRABATCH_MONITOR||Batch Risk Analysis Monitor||This program is used to monitor the execution status of a running batch risk analysis.|
|GRAC_ALERT_GENERATE||Alert Generation||Program that generates alerts.||SAP Access Control 10.0 Alerting|
|GRAC_BATCH_RA||Risk Analysis In Batch Mode||Offline analysis is not real-time data but is dependent on the date of the last Batch Risk Analysis. The Batch Risk Analysis is run as background job in GRC by using transaction GRAC_BATCH_RA (program GRAC_BATCH_RISK_ANALYSIS).||Online vs. Offline Risk Analysis|
|WD_TRACE_TOOL||WebDynpro Tracing||Basis||The Web Dynpro trace tool supports the analysis of problems and errors arising in Web Dynpro ABAP, by collecting and listing the data related to the Web Dynpro ABAP application.||Web Dynpro Trace Tool – Web Dynpro for ABAP – SAP Library|
|Program||Description||Why is this useful?||Further details, links, etc.|
|PRGN_COMPRESS_TIMES||Program to merge the assignments of identical users and roles, provided the validity periods overlap with one another or immediately follow each other. Also you can delete expired assignments.||
Very helpful to easily delete expired assignments or to clean up the assignments after a system copy.
Please note that this program should not be run if you have ARQ in place for business roles provisioning.
|Before Initial Load …|
|TZCUSTHELP||Troubleshooting Support for Time Zone Settings||Timezone changes best practices – Basis Corner – SCN Wiki|
|TZONECHECK||Check Time Zone Data for Consistency||Timezone changes best practices – Basis Corner – SCN Wiki|
|RSLDAPSYNC_USER||Synchronization of SAP User Administration with an LDAP-Compatible Directory Service||Synchronization of SAP User Administration with an LDAP-Compatib – Identity Management – SAP Library|
|GRFNMW_BATCH_EMAIL_REMINDER||Job User to send Email reminders to approvers based on number of days and frequency|
|GRFNMW_BATCH_STALE_REQUEST||This program was useful for deleting non-actionable old requests from the system as housekeeping activity|
|RSCONN01||This job used for sending email (and other types of communication items)|
|/GRCPI/GRIA_DNLDROLES||Download roles data for mass import|
|GRAC_CHECK_BROLE_ASSIGNMENT||The program checks the consistency of business roles assigned to user. The report fetches all the business roles assigned to user and then gets list of single roles that are part of those business roles. Then repository is checked to see that all the single roles which are part of business roles are assigned to user with correct validity and relation.||Inconsistencies can be identified easily with a single report.||http://service.sap.com/sap/support/notes/2036088|
|RSDBTIME||Diagnostic Tool for Detecting Time Inconsistencie||Diagnosting Time and Timezone Inconsistencies in SAP-R/3-Systems. Different time sources must supply consistent times especially for EAM Logging functionality to work properly.|
|Table||Description||Why is this useful?||Further details, links, etc.|
|GRACREVREJUSER||UAR Rejected Users|
|GRACREJREASON||UAR Rejected Reasons|
|GRACREJREASONT||UAR Rejected Reasons Texts|
|USR02||User Logon Data|
|GRACOWNER||Master Table for Central Owner Administration|
|GRAC_(S|T)_REQUEST_RULE_HEADER||Contains Request Header information||This structure/table is frequently used for BRF+ functions||BRF+ Agent Rule based on Role Functional Area field using TABLE OPERATION and LOOP|
|GRAC_(S|T)_REQUEST_RULE_LINE||Contains Access Request Line Item informations||This structure/table is frequently used for BRF+ functions||BRF+ Agent Rule based on Role Functional Area field using TABLE OPERATION and LOOP|
|GRFN_MW_(S|T)_AGENT_ID||Result – Agent Rule||This structure/table is frequently used for BRF+ functions||BRF+ Agent Rule based on Location field using LOOP|
|Tool||Description||Why is this useful?||Further details, links, etc.|
I am really looking forward to your input to extend the listing.
Nice compilation Alessandro Banzer
Just wanted to make a small correction.
row 2: tcode "GRAC_DOWNLOAD_MIT_ASGN" is actually "GRAC_DWLOAD_MIT_ASGN"
thanks a lot! I have updated the document. Mixed up program and transaction 🙂
Really fantastic.Keep up the good work.
Awesome job! It's very helpful.
excellent effort in making a single consolidated document.
Insightful, thanks. Great job.
2036088 - Report to check business role assignment consistency - Cheers
Thanks for your input Andreas! I have updated the document accordingly.
The Job syncronism for GRAC v10 and v11 for Profile, Role and User , have the new names:
2144736 - Delete or Purge the Risk Analysis background jobs spool data.
Why we should not use PRGN_COMPRESS_TIMES if business roles are being provisioned using ARQ?
Have a look at this document - it's recommended to avoid to ensure GRC repository matches the plug-in system access that has been provisioned
Recommendations for using Business roles provisioning in access request
Program Name : ZZ_UNLOCK_BRM_ROLE
refer to SAP Note 1805237 - How to Unlock the Role
awesome collection. thanks.
Very useful. Thanks ℹ
Thanks, Really very useful.
Can anyone please add more programs, transactions and codes related to Process Controls and Risk Management?
Hi Alessandro, In the tables section, you could add the HRP tables of process Control. You could just provide the link to this wiki page: http://wiki.scn.sap.com/wiki/display/GRC/HRP+tables+and+the+information+they+store Best Regards, Fernando
Is there any tables where data collected by a burinsess rule (from connected backend system) are stored ?
Hi Josselin, Yes, but it depends on the scenario you are using. For example, a configurable business rule with SCU3 handler will store the data captured in DBTABLOG. However, information is taken directly from there and the results are not stored in GRC. Regards, Fernando
very usefull Document.
Ale, Col & Madhu
Very useful and informative. It is a ready reckoner in fact. Kindly extend the listing with more information.
It's something we all try to do but if you know any transactions that are missing then please add a comment and one of us will update the list. We are trying to capture more than just transaction (otherwise you can search SAP yourself) so please provide a high level usage as well 🙂
Please post few GRC tables.
Which GRC tables?
GRC tables for related to EAM,BRM,ARM components.
very much useful for people like us who are new to GRC.
Could you please let me know if there is any TABLE/REPORT/PROGRAM that will give the linking of
Business Roles--> Composite roles
Business Roles --> Single Roles
and Respective Tcodes in Composite or Single Roles and these roles assigned to users in SAP System?
any help is much appreciated 🙂 .
Please use table GRACROLERELAT to get the details you need.
You need to get ROLE ID from GRACROLE table and pass it to GRACROLERELAT table.
I would propose you to add the following structures and tables
Contains Request Header information
I think they are the most popular in BRF function creation.
Hope this helps begginers to understand the purpose of this structures/tables in BRF functions.
*Madhu, I've used your posts as examples
I've added them for you. Just realised this document needs a bit of refreshing 🙂
Thanks for this. Very helpful
There is a transaction in GRC 10.1 plugin that downloads the roles in the BRM upload file fomat. After the download, some minor tweaks are necessary, but I've found it very useful. The transaction is /GRCPI/AC_ROLE_DNLD and should be executed at the plugin systems. Can you add this at the list, please?
I have some suggestions of useful table to add in your list.
Why is this useful?
Further details, links, etc.
This structure/table is frequently used for BRF+ functions
User Associated with Request
This structure/table is frequently used for BRF+ functions
Does anyone have anymore information on GRAC_CHECK_BROLE_ASSIGNMENT? We are looking for reliable information on business role assignments. This report appears to be what we are looking for, but does not return a reliable set of information. I have users who I KNOW have business roles assigned in GRC but do not show up in this report.
Are there any advance programs that can change the Access Request, for example, the role validity date?
Hi Alessandro Banzer : Need help! How do one finds the name of the ABAP program behind the ARA risk analysis report.