Technical Articles
SAP GRC 10/10.1/12.0 – Access Control Module related Tables
Purpose
The purpose of this blog post is to explain the about the various tables related to GRC Access Control module and how these tables can be utilized in order to prepare reports or extract data as per your requirements:
1. Request Reason
Request reason is stored in SAPscript, with Text Object as “GRC” and ID as “LTXT”. You can use standard SAPscript Function Module (READ_TEXT) to fetch request reason of a GRC request by passing the “TEXT” value to the Name field. This TEXT value can be fetched from table STXH
e.g: ACCREQ/00155D08DA361ED2A1BD201C710165A5/LONG_TEXT (For access requests ACCREQ/RequestID(GRACREQ Table)/LONG_TEXT
2. Request Comments
Request comments are stored as SAPscript objects. You can use standard SAPscript Function Module (READ_TEXT) to read the comments of a GRC request.
a. Retrieve the “EXTERNAL_KEY” value from GRFNMWRTINST table by passing the request number details in “EXTERNAL_KEY_DIS” field
b. Retrieve the “TDNAME” value from STXH table by passing the “EXTERNAL_KEY” value retrieved from above step with * at the end as the comments get saved with timestamp and there could be multiple comments.
You have to pass following values to the function module:
ID = NOTE
NAME = TDNAME
OBJECT = GRC
3. GRACREQ – Request details table
This table will provide the information about Request ID, Request Type, Request Creation Date and Request Priority. (Note: You can also get UAR request details from this table)
4. GRACREQUSER – GRC Request User details table
This table will provide the information about user for whom GRC request has been raised and provides details about User ID, User First Name, User Last Name and User Email ID
5. GRACREQPROVITEM – GRC Request Line Item Details
This table will provide the information about the request and the below Line Items in the request with their corresponding VALID FROM and VALID TO dates.
Role
System
Fire Fighter Id
User
Profile
PD Profile
Firefighter Role
6. GRACREQPROVLOG – GRC Request Provisioning Logs
This table will provide the information about the request and the Line Items in the request with their provisioning status (Success or Failure or Warning)
7. GRFNMWRTINST – GRC Request Instance Details
This table will provide the information about the request and its corresponding instance status.
8. GRFNMWRTDATLG – GRC Request Line Item Approval Status
Get the details of Instance ID from GRFNMWRTINST table by passing the request number in “EXTERNAL_KEY_DIS” field. Based on the Instance ID you can get the details of each Line Item approval status in the request, Path ID, Stage Sequence Number and Approver User column in this table gives the details of the approvers.
Based on Path ID you can get the stage details by using the tables “GRFNMWCNPATH” and “GRFNMWCNSTG”
9. GRFNMWRTAPPR – Current Approver for Request Line Items
This table will provide the information about the request and current approvers for corresponding Line Items in the request.
10. GRFNMWRTMSGLG – Workflow Instance Message Logs
This table hold all the details about the message number and variables and these are used by code logic and data is displayed in audit logs of access requests. You can ask your ABAP programmer to use this table as reference to pull out the required details for Audit logs.
Class: CL_GRFN_MSMP_INSTANCE_MODEL
Method: GET_INSTANCE_AUDIT_MESSAGES
11. GRACROLE & GRACROLEAPPRVR
These tables will provide the information about the roles and their corresponding role owners maintained in BRM.
12. GRACRLCONNVAL
This table will provide you the details about Auto provisioning status for a role
13. HRUS_D2 – Approver Delegation Table
This table will provide the information about the delegated approvers in GRC
14. GRACSTDROLE and GRACSTDROLESYS
These tables will provide the information about the default roles maintained in GRC.
15. GRPCCHKO and GRPCPHIO – GRC Request Attachment Details
These tables will provide the information about the attachments in the GRC request.
Get Request ID for a GRC request from GRACREQ Table
Input Request ID retrieved above in the field PROP08 of table GRPCPHIO.Get PHIO_ID from GRPCPHIO table. This table also gives attachment description details.
Input PHIO_ID to table GRPCCHKO. This table will provide Attachment Name and Type details.
16. Mitigating Control Vs. Risk/Monitor/Approver Details
Retrieve OBJID from table HRP5354 by inputting the Mitigating Control ID in SHORT_KEY1 field
Retrieve KEY 1 and KEY 2 from HRT5320 by passing OBJID retrieved above into T_OBJID field which will give Risk/MC Monitor/MC Owner Details
17. Mitigating Control Short Text and Long Text
Short Text
Retrieve “OBJID” from table HRP5354 by passing Mitigating Control ID into “SHORT_KEY1” field
Retrieve ‘STEXT’ from table HRP1000 by passing ‘OBJID’ value retrieved from above table
Long Text
Retrieve “OBJID” from table HRP5354 by passing Mitigating Control ID into “SHORT_KEY1” field
Retrieve “TABNR” values by sorting ‘AEDTM’ and take the latest last modification date from table HRP1002 by passing PLVAR = ’01’, OTYPE = ‘P2’, OBJID = value retrieved from above table and SUBTY = ‘0001’
Retrieve “TLINE” values from table HRT1002 by passing TABNR value retrieved from above table
18. Risk Long Text
Class: CL_GRFN_SAPSCRIPT
Method: RETRIEVE_STRING
Pass following values:
IV_LANGUAGE = EN
IV_OBJECT_ID = SOD_RISK/<RiskID>
IV_CLASS = LTXT
IV_TOKEN = RSK
IV_APPLICATION = GRC
19. Control Assignment request Items table
GRACMITMSMPVALI – This table will have the Control Assignment request and corresponding Lineitems of that request.
MSMP Instance and External Key in this table are referenced from GRFNMWRTINST table.
20. Mitigating Controls related tables
GRACMITUSER – mitigating controls assigned to User Level Risk violations
GRACMITUSERORG – mitigating controls assigned to User Org Level Risk violations
GRACMITROLE – mitigating controls assigned to Role Level Risk violations
GRACMITROLEORG – mitigating controls assigned to Role Org Level Risk violations
GRACMITPROF – mitigating controls assigned to Profile Risk violations
GRACMITOBJECT – mitigating controls assigned to HR Objects Risk violations
21. Mitigation-Violation Tables for Access Request (temporary storage while workflow is running)
GRACMITUSERAR – stores mitigating controls assigned to User Level Risk violations during Access Request approval process. Once request is finished, if access is provisioned, mitigations are transferred to GRACMITUSER
GRACMITUSERORGAR – stores mitigating controls assigned to User Org Level Risk violations during Access Request approval process. Once request is finished, if access is provisioned, mitigations are transferred to GRACMITUSERORG
22. GRC User Access Review (UAR) related tables:
GRACREQ – This table will provide the information about Request ID, Request Type, Request Creation Date and Request Priority for UAR requests also.
GRACREJREASON – REJECTION reasons for UAR requests are stored in this table.
GRACREVCORDMAP – This table will store the Reviewer – Coordinator mapping defined in GRC system.
GRACREVITEM – For GRC access requests, the line item details can be retrieved from table GRACREQPROVITEM. Similarly for UAR requests, the line item details can be retrieved from table GRACREVITEM.
This table will provide the information about the UAR request and the lineitems with details mentioned below:
User ID – Connector – Review Item ID (Need to use GRACROLE to get the review item name which is role name) – Review Item usage.
GRACREVREJUSER – This table stores details of users rejected in UAR requests with the correpsonding rejection reasons referenced from tables GRACREJREASON and GRACREJREASONT.
GRACREQPROVLOG – GRC Access Request Provisioning Logs
The same table will provide the information about the UAR requests and the Line Items in the request with their provisioning status (Success or Failure or Warning)
23. GRC Emergency Access Management (EAM) related tables:
GRACFFOWNER / GRACFFOWNERT – This table will store the mapping between Firefighter ID Owners and corresponding Firefighter IDs
GRACFFCTRL – This table will store the mapping between Firefighter ID Controllers and corresponding Firefighter IDs along with the log delivery options (Email, Workflow or Log Display) for the controller. If the delivery option is left BLANK then by default the option considered is “Log Display”.
GRACFFOBJECT / GRACFFOBJECTT – This is the master table which stores details of all Firefighter IDs in various ABAP systems and also stores the last logon date of Firefighter IDs.
GRACFFUSER / GRACFFUSERT – This table will store the mapping between Firefighter IDs and users assigned to those Firefighter IDs
GRACREASONCOD / GRACREASONCODT – This is a master table will store the details of all EAM reason codes, reason code descriptions and status.
GRACREASONSYS – This table will store the mapping between reason codes and corresponding target connectors
GRACFFLOG – When Firefighter Log Sync job is executed the details of Firefighter ID, Firefighter User, Logon and Logoff time, Reason Code used and Workflow Status (whether sent or not) are updated in GRACFFLOG table.
GRACFFREPMAPP – For every entry in GRACFFLOG table, if the corresponding transaction usage details are synced to GRACACTUSAGE table, then the mapping between FF LOG ID in GRACFFLOG table and ACTION ID in GRACACTUAGE table is stored in GRACFFREPMAPP table.
Reason Code, Actions and Additional Activity Details – These details are required when you are building custom reports for internal or audit reporting.
a. Retrieve the “EXTERNAL_KEY” value from GRFNMWRTINST table by passing the request number details in “EXTERNAL_KEY_DIS” field with process ID as SAP_GRAC_FIREFIGHT_LOG_REPORT
b. Pass the external key value excluding “FFLOG\” into WF_ID as shown below and retrieve Text Object ID.
For retrieving the Reason Code , Actions and Additional Actions pass the Text Object ID retrieved from GRACFFLOG table in the following method:
Reason Code
Action Details
Additional Activity Details
SAP GRC will capture the following logs during a Firefighter session and creates an automated workflow request for log review by Firefighter ID controllers.
Transaction Logs: Retrieves transactions executed by the Firefighter ID from transaction STAD and then stores them in GRACACTUSAGE table
Change Logs: Retrieves all the change logs based on activities performed by the Firefighter ID from change document tables CDPOS, CDHDR and DBTABLOG and then stores them in GRACCHANGELOG table
System Logs: Retrieves all the system logs based on activities performed by the Firefighter ID from transaction SM21 and then stores them in GRACSYSTEMLOG table
Security Audit Log: Retrieves all security audit Logs for the activities performed by the Firefighter ID from transaction SM20 and then stores them in GRACAUDITLOG table
OS Command Log: Retrieves changes to OS commands by the Firefighter ID from transaction SM49 and then stores them in GRACOSCMDLOG table
Note: SAP GRC will retrieve the logs only if they are recorded in the target systems (e.g. S4HANA, ECC etc.)
22. GRC Process Control Tables
HRP1000 – Mitigating Control ID and Short Description
HRP1002 – Mitigating Control Long Description
HRP1001 – Organization Unit, Business Process and Sub process details.
HRP5354 – Mitigating Control Owners & Monitors
E.g. If you want to retrieve the Sub Process details based on a Mitigating Control name, then you can follow below steps:
- Retrieve ‘OBJID’ from table HRP1000 by passing Control short description in the ‘MC_STEXT’ field.
- Pass the ‘OBJID’ and SCLAS as ‘P1’ or ‘PL’ based on Local/Central sub process and retrieve related object ID (SOBJID) from table HRP1001
- Now, use the OBJID retrieved in the above step and extract Sub process description (STEXT) from HRP1000 table
Looking forward for all your inputs in improving this blog by including additional table details (if any missing)
Thanks for reading.
Best Regards,
Madhu Babu Sai (#MJ)
Heyyy Madhu ....
Nice one ..!
Regards,
Rahul
Hi Madhu, its is very informative. Can we find our in which table the end user (affected user) details are stored for whom the provisioning is to be done in a Access request
Regards,
Krish
Awesome Madhu !
Hi Madhu,
Thanks for the info, good stuff!
Another Table, GRACROLEMAP, can you let us know how this Table is sourced? Which function in GRC allows this Table to be sourced?
Thank you in advance,
Chris
Hi Christopher,
In GRC BRM module, you can map a role from the same system or different system to a role.
For example: I have a role in GRC system (Role A) and this role need to be automatically included in the GRC request whenever users select ROLE B which is in ECC system then role mapping can be helpful.
Regards,
Madhu
Thanks Madhu! I figured....just wanted to confirm from an expert. Thanks again!
Hi madu,
It's very informative.thahks for giving such huge information.
Hello Madhu ,
Can you please help us to know if we have some way to download the grc request attachments from the Backend system
Hi Pranjal,
GRC access request attachments are stored in the following tables:
GRPCCHKO and GRPCPHIO – GRC Request Attachment Details
These tables will provide the information about the attachments in the GRC request.
Get Request ID for a GRC request from GRACREQ Table
Input Request ID retrieved above in the field PROP08 of table GRPCPHIO. Get PHIO_ID from GRPCPHIO table. This table also gives attachment description details.
Input PHIO_ID to table GRPCCHKO. This table will provide Attachment Name and Type details.
You have to get your ABAPer write a small piece of code to download attachments from the mentioned tables using ARQ request number.
CALL METHOD cl_grfn_documents_manager=>get_physical_document_content
(Use this method to get the document content and convert it to binary using following function module)
CALL FUNCTION 'SCMS_XSTRING_TO_BINARY'
Regards,
Madhu
Great Job Madhu !
This is a very informative document.
Thanks
Asheesh
Great reference! Thank you.
Hi Madhu,
Very useful information.
I'm looking for information to find out EAM workflow path related information?any table?
Is it possible to reset the completed log and resend it again?
Thanks,
Tireesha
Great blog, very informative!
Hi Madhu,
great, great job.
Still one question about that: Is there a possibility to get a connection between
a firefighter usage in GRACFFLOG and the origin access request in GRACREQ?
I know it already how to find log review workflow from GRACFFLOG in GRFNMWRTINST, but not how to find access request.
Could you help me with that?
Thanks a lot.
Greetings,
Stefan
Hi Stefan,
Please check below note:
2832948 - EAM - Provide link between EAM request and Log review. Log review should be assigned request number- Improvement note - SAP ONE Support Launchpad
Regards,
Madhu
Hi Madhu,
thanks to the response.
This is already clear to me and we have it already in use the provided link between firefighter usage and the log review workflow.
For me it would be quite interesting if it exists also a link from the gracfflog ff usage and its origin firefighter request, means the firefighter access request workflow which will be saved in table GRACREQ.
I cannot find anything like that.
Many thanks.
Greetings,
Stefan
SAP should engage you to write a book on SAP GRC configuration 🙂
Quite helpful. Trying to use SE16 to tie things together and there is a missing piece for me. How do I get the below table linked to the req no? You mention external key dis option but not available as a selection option in SE16. Any suggestions?
8. GRFNMWRTDATLG – GRC Request Line Item Approval Status
Get the details of Instance ID from GRFNMWRTINST table by passing the request number in “EXTERNAL_KEY_DIS” field. Based on the Instance ID you can get the details of each Line Item approval status in the request, Path ID, Stage Sequence Number and Approver User column in this table gives the details of the approvers.
Hi Madhu,
Thank you for sharing the table information in GRC.
Is there any report in GRC which can give the Access Request number along with the details of the roles that were rejected and approved, I mean to say based on the approval status at the line item level.
Thank you in advance.
Regards,
Amrutha
Hello Madhu,
Nice blog and information
how to use Retrieve_String to find the reason code, Action Details and Additional Action details
can you please help me to get the above data
Thanks,
Manohar