The motivation to write this document comes with the Community Collaboration for GRC Blogs and Documents project that we have started recently in the GRC space. Leo (S A) has requested a document that elaborates which tools and transactions are used by a GRC consultant. I have extended the request to also name some programs and tables I regularly use to complete my job. The following listing will give you an overview of transactions, tools, programs and tables used by a GRC consultant. Each table is sortable by clicking on headings.
Transactions
| Transaction | Description | Key Area | Why is this useful? | Further details, links, etc. |
|---|---|---|---|---|
| NWBC | Launch Netweaver Business Client | All | launch NWBC HTML. You will need to have work centre roles assigned or build you own. | |
| SPRO | Customizing | All | Self explanatory - configuration entry point for both GRC and plug-in systems | |
| GRAC_UPLOAD_MIT_ASGN | Upload Mitigation Assignments | ARA | Upload a huge number of mitigation (user, role, profile) in one shot. You can either append your current mitigations or overwrite. Program GRAC_UPLOAD_MIT_ASSIGNMENTS. | Mass change of Mitigation Assignments |
| GRAC_DWLOAD_MIT_ASGN | Download Mitigation Assignments | ARA | Download a huge number of mitigation (user, role, profile) in one shot. Program GRAC_DOWNLOAD_MIT_ASSIGNMENTS. | Mass change of Mitigation Assignments |
| GRFNMW_CONFIGURE_WD | MSMP Workflow Configuration | WF | MSMP Workflow Configuration - standard view (web dynpro will launch) | |
| GRFNMW_CONFIGURE | MSMP Workflow Config Expert | WF | SAP GUI expert mode to configuration workflow configuration. Do not use this transaction if you not familiar or strong with MSMP configuration as you will risk corrupting your build. This is useful if you need to retransport or transport all of the MSMP in one go as you can select it like an IMG table. | |
| GRFNMW_DBGMONITOR_WD | MSMP Instance Runtime Monitor | WF | Comprehensive view of the workflow execution for MSMP evaluation including Stage/Path calculation, provisioning notes, notifications and agents. This is useful for an Administrator to track issues with an MSMP after a request has been submitted. | |
| SWDD | Workflow Builder | WF | Unlikely you will need to go into this transaction as the Worfklows for SAP are out of the box and MSMP is used. You can identify the MSMP integration from here. | |
| SWIA | WF | SAP standard workflow. This will allow you to check the current Workflow and Task numbers. If the MSMP Instance Runtime shows the workflow is completed but SWIA is not completed then there is an issue with the workflow configuration. Check Marketplace incase there is a correction. | ||
| GRAC_ROLE_MASS_IMPRT | Mass Role Import from Backend System | BRM | ||
| GRAC_SPM_CLEANUP | Cleanup EAM Application Data | EAM | Program to clean up EAM tables. | |
| GRAC_EAM/GRAC_SPM and /GRCPI/GRIA_EAM | EAM Logon Pad | EAM | For centralized firefighting, you use GRAC_EAM to open the EAM Launchpad on the GRC system. For decentralized firefighting, you use /GRCPI/GRIA_EAM to open the EAM Launchpad on the plug-in systems. The launchpad for centralized firefighting displays all the plug-in systems to which you have access. The launchpad for decentralized firefighting does not display any systems because it allows you to access only the current plug-in system. | |
| GRAC_UPLOAD_RULES | Upload Access Control Rules | ARA | This is available in the IMG navigation and allows you to import the rule set. Note, if you have workflow activated for you ruleset it will not trigger workflow. | |
| GRAC_COPY_RULES | Copy Access Control Rules | ARA | Utility for copying SOD rules from one system to another of same type. | |
| GRAC_RULE_DELETE | Delete Access Control Rules | ARA | This is available in the IMG navigation and allows you to delete the rule set. Note, if you have workflow activated for you ruleset it will not trigger workflow. | |
| GRAC_DOWNLOAD_RULES | Download Access Control Rules | ARA | This is available in the IMG navigation and allows you to download the rule set. Recommend you save a selection variant with the file name and paths so you do not have to continually maintain them. | |
| GRAC_GENERATE_RULES | Generate Access Control Rules | ARA | This is available in the IMG navigation and allows you to mass generate the rules. You can also execute this via NWBC, however, this program would allow you to schedule in background via SM36/37 | |
| GRAC_RULE_TRANSPORT | Transport Access Controls Rules | ARA | This is available via IMG navigation and allows to mass transport the rule set. | |
| GRAC_EXPORT_RA | Export Risk Analysis Data (e.g. when the file is too big for the web) | ARA | Program to download the results of the risk analysis to a local file. | |
| GRAC_BATCH_RA | Risk Analysis in Batch Mode | ARA | This is available in the IMG navigation and triggers the program for you to schedule batch risk analysis. Ensure your configuration parameters are set | |
| GRAC_GENERATE_RULES | WF | Build MSMP rules (usually BRF+). Refer to comment below for creating application first. | ||
| GRAC_GEN_ERM_BRFRULE | WF/BRM | Build the BRF+ Rules for BRM role methodology and approval conditions groups. Note, before running to to BRF+ and create a shell application that has been assigned to a transport and activated. Use this application in your definition. If not, it gets created in $TMP | ||
| BRFPLUS | BRFplus Workbench | WF | Alternative transactions: BRF+ and FDT_Workbench. You can maintain the BRF+ rules here and transport through to Production. | |
| STZAD | Customizing Time Zones | BC | Discuss with Basis before making any changes to timezone as it can impact EAM log collections, etc. | |
| SLG1 | Display Application Logs | BC | Application log display. It is useful to track error messages. Most GRC authorisations errors will show in the application log | |
| SE61 | SAP Documentation (Email templates, etc.) | All | Document maintenance. | |
| SE63 | Translations | All | This transaction enables you to directly translate individual objects. | |
| SCPR20 | Activate BC Sets | Basis | Activation of BC Sets. | Activate BC Sets - Business Configuration Sets (BC-CUS) - SAP Library |
| PPOM | Maintain Organizational Plan | Basis | Maintain Organizational Plan | |
| SOST/SOSB | SAPconncet Send Requests | Check if there has been an issue with sending on email notifications or reprocess requests. Transaction SOSB can be restricted to limited functionality. | Tcode SOST | |
| SCOT | SAPconnect Administration | Basis | Configuration of SAPConnect. Discuss with your Basis team. Take care in enabling in Non-Production environment so you do not accidentally send emails to users and add confusion. If enabled for Non-Prod, recommend you put dummy email addresses on the user accounts. | |
| ST01/STAUTHTRACE/ST05 | System Trace | Trace for an application server. ST01 is useful for authorisation checks and include database calls, kernel and RFC. STAUTHTRACE is new version for security tracing with ALV functionality and drill down (heaps easier to intepret than ST01). ST05 comes in handy to trace SQL calls to find the table where information has been stored. | ||
| SM12 | Enqueue Locks | Basis | You can access this in display mode only. It can be a quick way to find which tables your data is stored in. Go into the NWBC screen in change mode so it puts a lock on the tables. Open a new session and go to SM12 to find the tables. | |
| STAD | Display Statistics for all systems | Basis | EAM FF logs import STAD information | |
| SCC4 | Client Administration | Ability to change client setting to enable cross-client changes. Do not make changes to these settings without discussing with Basis. Depending on your landscape strategy you may need to maintain some IMG settings directly in the client (such as integration framework) | ||
| SNOTE | Note Assistant | BC | Import and apply SAP Notes. You will need to check with your company's policy for note application responsible. If you have not applied and OSS note before, it is strongly recommended your talk to your developer or Basis to learn about pre-requisite and post-processing activities. In some cases, a developer key will be necessary. | |
| SE01/SE09 | Transport Organizer | BC | Manage your transports | |
| SE16 / SE16N | Data Browser | Transaction to easily browse thru data tables. | ||
| SM01 | Lock Transactions | SEC | Lock transaction to prevent users (even if authorised) from executing the transaction. Usually security is responsible for this activity. | |
| SM36 | Schedule Background Jobs | BC | GRC Access Controls uses a job scheduler via NWBC. SM36 jobs for connector sync,etc can be set up via SM36 | |
| SM37 | Overview of Background Jobs | BC | Allow you to view background jobs. All jobs runtimes will show here, even if scheduled via NWBC. | |
| SA38 | ABAP Reporting | ABAP | Execute SAP ABAP programs. | |
| SE38 | ABAP Editor | ABAP | Program Editor | |
| SE80 | Object Navigation | ABAP | SAP Development workbench, most development functionality is available from this transaction. | |
| SE37 | ABAP Function | ABAP | MSMP SAP standard rules are usually function modules. You can look at the code if you want to better understand what is being evaluated. Also comes in handy for break point if you need to debug. | |
| SE24 | ABAP Class | ABAP | useful if you need to check the code and add a breakpoint to a method | |
| OOCU | Task Customizing | |||
| BD54 | Logical Systems | Basis | RFC connections have to be defined as a logical system (usually same name) to then reference in the integration framework configuration | |
| SM59 | RFC Destinations | Basis | RFC Configuration | |
| SM66/SM50 | Workprocess | Basis | View the number of background work process available to define as part of the integration framework for background job processing | |
| SUIM | SEC | User Information Reporting system | ||
| S_BCE_68001426 | Transactions for User | SEC | Report shows a list of all transactions assigned to a user. This is a very helpful report to identify critical transactions as user has access to. | |
| S_BCE_68001418 | Roles by Role Name | SEC | Report to find roles by complex selection criterias. This report can be used to find roles by description, etc. | |
| S_BCE_68001419 | Roles by User Assignment | SEC | Report shows a list of all roles assigned to a user. This is very helpful to have an overview of all authorized roles a user have. | |
| S_BCE_68001420 | Roles by Transaction Assignment | SEC | Reports shows a list of all roles that includes a specific transaction. This is very helpful to easily find possible roles to assign a transaction. | |
| SICF | HTTP Services | BC | Discuss with Basis and Security before activating these as it poses a security risk. If you receive a 403 Forbidden error in NWBC it means a service needs to be activated for the webdynpro. You can also test the services here. For PSS/End User Login screens, the SICF services need to be configured with the Service Account Username and Password stored | |
| GRAC_REP_OBJ_SYNC | Object Rep Sync | All | User + Role + Profile Synchronization Job | |
| GRAC_USER_SYNC | User Sync | All | User Synchronization Job | |
| GRAC_ROLE_SYNC | Role Sync | All | Role Synchronization Job | |
| GRAC_ROLE_USAGE_SYNC | Role Usage Sync | All | Role Usage Synchronization Job | |
| GRAC_ACT_USAGE_SYNC | Action Usage Sync | EAM/ARA | Action Usage Synchronization Job | |
| GRAC_PROFILE_SYNC | Profile Sync | All | Profile Synchronization Job | |
| GRAC_AUTH_SYNC | Auth Sync | All | Authorization data Synchronization Job | |
| GRAC_SPM_SYNC | EAM Sync | EAM | Emergency Access Management Master Data Synchronization Job | |
| GRAC_SPM_WF_SYNC | EAM Workflow Synchronization | EAM | Emergency Access Managmement Workflow Synchronization Job | |
| GRAC_SPM_LOG_SYNC | EAM Log Sync | EAM | Emergency Access Management Log Synchronization Job | |
| GRFN_STR_DISPLAY / GRFN_STR_CHANGE | Org Structure Expert Change | All | These transactions show all the relationships between objects in the structure considering the timeframe of each object and the timeframe of the relationship. Both are considered super transactions which are really sensitive. They are exclusive GRC transactions to check Objects Hierarchy. The point of GRFN_STR_CHANGE is that within this transaction you can change master data that you could not using UI. It means that the structure change transaction is not recommended as you can cause severe data inconsistency in the system if you use it without knowing it. | |
| PFCG | Role Maintenance | Basis | Role maintenance to create and edit roles. | 5 Role Maintenance in PFCG - SAP NetWeaver Business Client - SAP Library |
| SU01 | User Maintenance | Basis | User maintenance | |
| SE16 | Data Browser | Basis | Data browser to view/add table data | |
| SM30/SM31/SM34 | View Maintenance | Basis | SE16 and SM30 essentially give direct access to tables information. SM30 is restricted in a way that you cannot use the SM30 interface to view all the tables. Only tables with a maintaince dialog defined can be accessed through SM30. But there is no restriction on the access to tables in SE16 as long as u have access to the authorization group pertaining to the table you will be able to access the information through SE16. | |
| GRFNMW_ADMIN | MSMP Power User / Debug | WF | ||
| GRFNMW_CN_VERA | MSMP Process Active Version Maint. | WF | ||
| GRFNMW_DEBUG | MSMP Process Debug Settings | WF | ||
| GRFNMW_DEBUG_MSG | MSMP Process Debug Messages Settings | WF | ||
| GRFNMW_DEV_CONFIG | MSMP Development Configuration | WF | ||
| GRFNMW_DEV_RULES | MSMP Rule Generation / Testing | WF | ||
| GRFNMW_GEN_VERSION | Generate Versions for MSMP Config | WF | Generate version is useful to run after you import a transport (post processing activity) instead of going into MSMP screen to activate. | |
| GRFNMW_MONITOR | MSMP Workflow Monitoring | WF | Monitoring of the MSMP Workflow statistics. | |
| GRAC_ENDUSRFORM_SICF | End user form SICF service | |||
| GRAC_FFOBJ_DSC_MAINT | Maintain EAM FF Object Description | |||
| GRAC_FFOBJ_DSC_MNT1 | Firefighter Object Maintenance | |||
| GRAC_IDM_SCHEMA_SYNC | IDM Schema Update | |||
| GRAC_DATA_MIGRATION | AC10 Data Migration | Program to migrate data from an earlier version. | ||
| GRAC_DELETE_REPORT_S | Delete Report Spool data | |||
| GRACRABATCH_MONITOR | Batch Risk Analysis Monitor | This program is used to monitor the execution status of a running batch risk analysis. | ||
| GRAC_ALERT_GENERATE | Alert Generation | Program that generates alerts. | SAP Access Control 10.0 Alerting | |
| GRAC_BATCH_RA | Risk Analysis In Batch Mode | Offline analysis is not real-time data but is dependent on the date of the last Batch Risk Analysis. The Batch Risk Analysis is run as background job in GRC by using transaction GRAC_BATCH_RA (program GRAC_BATCH_RISK_ANALYSIS). | Online vs. Offline Risk Analysis | |
| WD_TRACE_TOOL | WebDynpro Tracing | Basis | The Web Dynpro trace tool supports the analysis of problems and errors arising in Web Dynpro ABAP, by collecting and listing the data related to the Web Dynpro ABAP application. | Web Dynpro Trace Tool - Web Dynpro for ABAP - SAP Library |
Programs
| Program | Description | Why is this useful? | Further details, links, etc. |
|---|---|---|---|
| PRGN_COMPRESS_TIMES | Program to merge the assignments of identical users and roles, provided the validity periods overlap with one another or immediately follow each other. Also you can delete expired assignments. | Very helpful to easily delete expired assignments or to clean up the assignments after a system copy.
Please note that this program should not be run if you have ARQ in place for business roles provisioning. | Before Initial Load ... |
| TZCUSTHELP | Troubleshooting Support for Time Zone Settings | Timezone changes best practices - Basis Corner - SCN Wiki | |
| TZONECHECK | Check Time Zone Data for Consistency | Timezone changes best practices - Basis Corner - SCN Wiki | |
| RSLDAPSYNC_USER | Synchronization of SAP User Administration with an LDAP-Compatible Directory Service | Synchronization of SAP User Administration with an LDAP-Compatib - Identity Management - SAP Library | |
| GRFNMW_BATCH_EMAIL_REMINDER | Job User to send Email reminders to approvers based on number of days and frequency | ||
| GRFNMW_BATCH_STALE_REQUEST | This program was useful for deleting non-actionable old requests from the system as housekeeping activity | ||
| RSCONN01 | This job used for sending email (and other types of communication items) | ||
| /GRCPI/GRIA_DNLDROLES | Download roles data for mass import | ||
| GRAC_CHECK_BROLE_ASSIGNMENT | The program checks the consistency of business roles assigned to user. The report fetches all the business roles assigned to user and then gets list of single roles that are part of those business roles. Then repository is checked to see that all the single roles which are part of business roles are assigned to user with correct validity and relation. | Inconsistencies can be identified easily with a single report. | http://service.sap.com/sap/support/notes/2036088 |
Tables
| Table | Description | Why is this useful? | Further details, links, etc. |
|---|---|---|---|
| GRACREVREJUSER | UAR Rejected Users | ||
| GRACREJREASON | UAR Rejected Reasons | ||
| GRACREJREASONT | UAR Rejected Reasons Texts | ||
| USR02 | User Logon Data | ||
| GRACOWNER | Master Table for Central Owner Administration |
Other tools
| Tool | Description | Why is this useful? | Further details, links, etc. |
|---|---|---|---|
I am really looking forward to your input to extend the listing.
Best regards,