Helpful transactions, tools, programs, tables, etc.

for a
SAP GRC Consultant

Transactions

Transaction

Description Key Area

Why is this useful?

NWBC

Launch
Netweaver
Business
Client

All

launch NWBC HTML. You will need to

have work centre roles assigned or build
you own.

SPRO

Customizing

All

Self explanatory - configuration entry

point for both GRC and plug-in systems

GRAC_UPLOAD_MIT_ASGN

Upload
Mitigation
Assignments ARA

Upload a huge number of mitigation

(user, role, profile) in one shot. You can
either append your current mitigations
or overwrite. Program
GRAC_UPLOAD_MIT_ASSIGNMENTS.

Further
details,
links, etc.

Mass
change of
Mitigation
Assignment
s

Download
Mitigation
GRAC_DWLOAD_MIT_ASGN Assignments ARA

Mass
change of
Download a huge number of mitigation Mitigation
(user, role, profile) in one shot. Program Assignment
GRAC_DOWNLOAD_MIT_ASSIGNMENTS. s

MSMP
Workflow
GRFNMW_CONFIGURE_WD Configuration WF

MSMP Workflow Configuration - standard

view (web dynpro will launch)

MSMP
Workflow
Config Expert WF

SAP GUI expert mode to configuration

workflow configuration. Do not use this
transaction if you not familiar or strong
with MSMP configuration as you will risk
corrupting your build. This is useful if
you need to retransport or transport all
of the MSMP in one go as you can select
it like an IMG table.

GRFNMW_CONFIGURE

MSMP
Instance
GRFNMW_DBGMONITOR_W Runtime
D
Monitor

SWDD
SWIA

Workflow
Builder

WF

Comprehensive view of the workflow

execution for MSMP evaluation including
Stage/Path calculation, provisioning
notes, notifications and agents. This is
useful for an Administrator to track
issues with an MSMP after a request has
been submitted.

WF

Unlikely you will need to go into this

transaction as the Worfklows for SAP
are out of the box and MSMP is
used. You can identify the MSMP
integration from here.

WF

SAP standard workflow. This will allow

you to check the current Workflow and
Task numbers. If the MSMP Instance
Runtime shows the workflow is
completed but SWIA is not completed

Transaction

Description Key Area

Why is this useful?

then there is an issue with the workflow
configuration. Check Marketplace incase
there is a correction.

GRAC_ROLE_MASS_IMPRT

Mass Role
Import from
Backend
System

GRAC_SPM_CLEANUP

Cleanup EAM
Application
Data
EAM

Program to clean up EAM tables.

EAM Logon
Pad

For centralized firefighting, you use

GRAC_EAM to open the EAM Launchpad
on the GRC system. For decentralized
firefighting, you use /GRCPI/GRIA_EAM to
open the EAM Launchpad on the plug-in
systems. The launchpad for centralized
firefighting displays all the plug-in
systems to which you have access. The
launchpad for decentralized firefighting
does not display any systems because it
allows you to access only the current
plug-in system.

GRAC_EAM/GRAC_SPM
and /GRCPI/GRIA_EAM

BRM

EAM

GRAC_UPLOAD_RULES

Upload Access
Control Rules ARA

This is available in the IMG navigation

and allows you to import the rule set.
Note, if you have workflow activated for
you ruleset it will not trigger workflow.

GRAC_COPY_RULES

Copy Access
Control Rules ARA

Utility for copying SOD rules from one

system to another of same type.

Delete Access
Control Rules ARA

This is available in the IMG navigation

and allows you to delete the rule set.
Note, if you have workflow activated for
you ruleset it will not trigger workflow.

Download
Access
GRAC_DOWNLOAD_RULES Control Rules ARA

This is available in the IMG navigation

and allows you to download the rule set.
Recommend you save a selection
variant with the file name and paths so
you do not have to continually maintain
them.

GRAC_GENERATE_RULES

Generate
Access
Control Rules ARA

This is available in the IMG navigation

and allows you to mass generate the
rules. You can also execute this via
NWBC, however, this program would
allow you to schedule in background via
SM36/37

GRAC_RULE_TRANSPORT

Transport
Access
Controls Rules ARA

This is available via IMG navigation and

allows to mass transport the rule set.

GRAC_EXPORT_RA

Export Risk
Analysis Data
(e.g. when the
file is too big
for the web) ARA

Program to download the results of the

risk analysis to a local file.

Risk Analysis ARA

in Batch Mode

This is available in the IMG navigation

and triggers the program for you to

GRAC_RULE_DELETE

GRAC_BATCH_RA

Further
details,
links, etc.

Transaction

Description Key Area

Why is this useful?

Further
details,
links, etc.

schedule batch risk analysis. Ensure

your configuration parameters are set

GRAC_GENERATE_RULES

GRAC_GEN_ERM_BRFRULE

WF

Build MSMP rules (usually BRF+). Refer

to comment below for creating
application first.

WF/BRM

Build the BRF+ Rules for BRM role

methodology and approval conditions
groups. Note, before running to to BRF+
and create a shell application that has
been assigned to a transport and
activated. Use this application in your
definition. If not, it gets created in $TMP

WF

Alternative transactions: BRF+ and

FDT_Workbench. You can maintain the
BRF+ rules here and transport through
to Production.

BC

Discuss with Basis before making any

changes to timezone as it can impact
EAM log collections, etc.

BC

Application log display. It is useful to

track error messages. Most GRC
authorisations errors will show in the
application log

BRFPLUS

BRFplus
Workbench

STZAD

Customizing
Time Zones

SLG1

Display
Application
Logs

SE61

SAP
Documentatio
n (Email
templates,
etc.)
All

Document maintenance.

SE63

Translations

This transaction enables you to directly

translate individual objects.

All

Activate BC
Sets Business
Configuratio
n Sets (BCCUS) - SAP
Library

SCPR20

Activate BC
Sets

PPOM

Maintain
Organizational
Plan
Basis

Maintain Organizational Plan

SOST/SOSB

SAPconncet
Send
Requests

Check if there has been an issue with

sending on email notifications or
reprocess requests. Transaction SOSB
can be restricted to limited functionality. Tcode SOST

SCOT

SAPconnect
AdministrationBasis

Configuration of SAPConnect. Discuss

with your Basis team. Take care in
enabling in Non-Production environment
so you do not accidentally send emails
to users and add confusion. If enabled
for Non-Prod, recommend you put
dummy email addresses on the user
accounts.

ST01/STAUTHTRACE/ST05

System Trace

Trace for an application server. ST01 is

Basis

Activation of BC Sets.

Transaction

Description Key Area

Why is this useful?

useful for authorisation checks and
include database calls, kernel and RFC.
STAUTHTRACE is new version for
security tracing with ALV functionality
and drill down (heaps easier to intepret
than ST01). ST05 comes in handy to
trace SQL calls to find the table where
information has been stored.

SM12

Enqueue
Locks

Basis

You can access this in display mode only.

It can be a quick way to find which
tables your data is stored in. Go into the
NWBC screen in change mode so it puts
a lock on the tables. Open a new session
and go to SM12 to find the tables.

STAD

Display
Statistics for
all systems

Basis

EAM FF logs import STAD information

Client
Administration

Ability to change client setting to enable

cross-client changes. Do not make
changes to these settings without
discussing with Basis. Depending on
your landscape strategy you may need
to maintain some IMG settings directly
in the client (such as integration
framework)

SNOTE

Note Assistant BC

Import and apply SAP Notes. You will

need to check with your company's
policy for note application responsible. If
you have not applied and OSS note
before, it is strongly recommended your
talk to your developer or Basis to learn
about pre-requisite and post-processing
activities. In some cases, a developer
key will be necessary.

SE01/SE09

Transport
Organizer

Manage your transports

SE16 / SE16N

Data Browser

Transaction to easily browse thru data

tables.

SM01

Lock
Transactions

SEC

Lock transaction to prevent users (even

if authorised) from executing the
transaction. Usually security is
responsible for this activity.

SM36

Schedule
Background
Jobs

BC

GRC Access Controls uses a job

scheduler via NWBC. SM36 jobs for
connector sync,etc can be set up via
SM36

SM37

Overview of
Background
Jobs

BC

Allow you to view background jobs. All

jobs runtimes will show here, even if
scheduled via NWBC.

SA38

ABAP
Reporting

ABAP

Execute SAP ABAP programs.

SE38

ABAP Editor

ABAP

Program Editor

SE80

Object

ABAP

SAP Development workbench, most

SCC4

BC

Further
details,
links, etc.

Transaction

Description Key Area

Why is this useful?

Navigation

development functionality is available

from this transaction.

SE37

ABAP Function ABAP

MSMP SAP standard rules are usually

function modules. You can look at the
code if you want to better understand
what is being evaluated. Also comes in
handy for break point if you need to
debug.

SE24

ABAP Class

ABAP

useful if you need to check the code and

add a breakpoint to a method

OOCU

Task
Customizing

BD54

Logical
Systems

Basis

RFC connections have to be defined as a

logical system (usually same name) to
then reference in the integration
framework configuration

SM59

RFC
Destinations

Basis

RFC Configuration

Basis

View the number of background work

process available to define as part of the
integration framework for background
job processing

SEC

User Information Reporting system

SEC

Report shows a list of all transactions

assigned to a user. This is a very helpful
report to identify critical transactions as
user has access to.

SM66/SM50

Workprocess

SUIM

S_BCE_68001426

Transactions
for User

S_BCE_68001418

Roles by Role
Name
SEC

Report to find roles by complex selection

criterias. This report can be used to find
roles by description, etc.

S_BCE_68001419

Roles by User
Assignment SEC

Report shows a list of all roles assigned

to a user. This is very helpful to have an
overview of all authorized roles a user
have.

S_BCE_68001420

Roles by
Transaction
Assignment

Reports shows a list of all roles that

includes a specific transaction. This is
very helpful to easily find possible roles
to assign a transaction.

SEC

SICF

HTTP Services BC

Discuss with Basis and Security before

activating these as it poses a security
risk. If you receive a 403 Forbidden error
in NWBC it means a service needs to be
activated for the webdynpro. You can
also test the services here. For PSS/End
User Login screens, the SICF services
need to be configured with the Service
Account Username and Password stored

GRAC_REP_OBJ_SYNC

Object Rep
Sync

All

User + Role + Profile Synchronization

Job

GRAC_USER_SYNC

User Sync

All

User Synchronization Job

GRAC_ROLE_SYNC

Role Sync

All

Role Synchronization Job

All

Role Usage Synchronization Job

GRAC_ROLE_USAGE_SYNC Role Usage

Further
details,
links, etc.

Transaction

Description Key Area

Why is this useful?

Further
details,
links, etc.

Sync
GRAC_ACT_USAGE_SYNC

Action Usage
Sync
EAM/ARA Action Usage Synchronization Job

GRAC_PROFILE_SYNC

Profile Sync

All

Profile Synchronization Job

GRAC_AUTH_SYNC

Auth Sync

All

Authorization data Synchronization Job

GRAC_SPM_SYNC

EAM Sync

EAM

Emergency Access Management Master

Data Synchronization Job

GRAC_SPM_WF_SYNC

EAM Workflow
Synchronizati
on
EAM

Emergency Access Managmement

Workflow Synchronization Job

GRAC_SPM_LOG_SYNC

EAM Log Sync EAM

Emergency Access Management Log

Synchronization Job
These transactions show all the
relationships between objects in the
structure considering the timeframe of
each object and the timeframe of the
relationship.

GRFN_STR_DISPLAY /
GRFN_STR_CHANGE

Org Structure
Expert
Change
All

Both are considered super transactions

which are really sensitive. They are
exclusive GRC transactions to check
Objects Hierarchy. The point of
GRFN_STR_CHANGE is that within this
transaction you can change master data
that you could not using UI. It means
that the structure change transaction is
not recommended as you can cause
severe data inconsistency in the system
if you use it without knowing it.

PFCG

Role
Maintenance Basis

Role maintenance to create and edit

roles.

SU01

User
Maintenance Basis

User maintenance

SE16

Data Browser Basis

Data browser to view/add table data

SM30/SM31/SM34

View
Maintenance Basis

SE16 and SM30 essentially give direct

access to tables information. SM30 is
restricted in a way that you cannot use
the SM30 interface to view all the tables.
Only tables with a maintaince dialog
defined can be accessed through SM30.
But there is no restriction on the access
to tables in SE16 as long as u have
access to the authorization group
pertaining to the table you will be able
to access the information through SE16.

GRFNMW_ADMIN

MSMP Power

WF

5 Role
Maintenanc
e in PFCG SAP
NetWeaver
Business
Client - SAP
Library

Transaction

Description Key Area

Why is this useful?

Further
details,
links, etc.

User / Debug

GRFNMW_CN_VERA

MSMP Process
Active Version
Maint.
WF

GRFNMW_DEBUG

MSMP Process
Debug
Settings
WF

GRFNMW_DEBUG_MSG

MSMP Process
Debug
Messages
Settings
WF

GRFNMW_DEV_CONFIG

MSMP
Development
Configuration WF

GRFNMW_DEV_RULES

MSMP Rule
Generation /
Testing

GRFNMW_GEN_VERSION

Generate
Versions for
MSMP Config WF

Generate version is useful to run after

you import a transport (post processing
activity) instead of going into MSMP
screen to activate.

GRFNMW_MONITOR

MSMP
Workflow
Monitoring

Monitoring of the MSMP Workflow

statistics.

WF

WF

End user form

GRAC_ENDUSRFORM_SICF SICF service

GRAC_FFOBJ_DSC_MAINT

Maintain EAM
FF Object
Description

GRAC_FFOBJ_DSC_MNT1

Firefighter
Object
Maintenance

IDM Schema
GRAC_IDM_SCHEMA_SYNC Update
GRAC_DATA_MIGRATION

AC10 Data
Migration

GRAC_DELETE_REPORT_S

Delete Report
Spool data

GRACRABATCH_MONITOR

Batch Risk
Analysis
Monitor

GRAC_ALERT_GENERATE

Alert
Generation

Program that generates alerts.

Risk Analysis
In Batch Mode

Offline analysis is not real-time data but

is dependent on the date of the last
Batch Risk Analysis. The Batch Risk
Analysis is run as background job in GRC Online vs.
by using transaction GRAC_BATCH_RA
Offline Risk
(program GRAC_BATCH_RISK_ANALYSIS). Analysis

GRAC_BATCH_RA

Program to migrate data from an earlier

version.

This program is used to monitor the

execution status of a running batch risk
analysis.
SAP GRC AC
10.0
Alerting

Programs
Program

Description

Why is this
useful?

Further details,
links, etc.

Very helpful to
easily delete
expired
assignments or to
clean up the
assignments after
a system copy.

PRGN_COMPRESS_TIMES

Program to merge the

assignments of identical
users and roles, provided
the validity periods overlap
with one another or
immediately follow each
other. Also you can delete
expired assignments.

TZCUSTHELP

Troubleshooting Support for

Time Zone Settings

Timezone changes
best practices - Basis
Corner - SCN Wiki

TZONECHECK

Check Time Zone Data for

Consistency

Timezone changes
best practices - Basis
Corner - SCN Wiki

Synchronization of SAP User

Administration with an LDAPCompatible Directory
Service

Synchronization of
SAP User
Administration with
an LDAP-Compatib Identity Management
- SAP Library

RSLDAPSYNC_USER

Please note that

this program
should not be run
if you have ARQ in
place for business
roles provisioning. Before Initial Load ...

Job User to send Email

reminders to approvers
GRFNMW_BATCH_EMAIL_REMINDE based on number of days
R
and frequency
This program was useful for
deleting non-actionable old
requests from the system as
GRFNMW_BATCH_STALE_REQUEST housekeeping activity

RSCONN01

This job used for sending

email (and other types of
communication items)

/GRCPI/GRIA_DNLDROLES

Download roles data for

mass import

Tables
Table

Description

GRACREVREJUSER UAR Rejected Users

GRACREJREASON

UAR Rejected Reasons

GRACREJREASONT UAR Rejected Reasons Texts

USR02

User Logon Data

GRACOWNER

Master Table for Central Owner Administration

Why is this
useful?

Further details, links,

etc.

Table

Description

Why is this
useful?

Further details, links,

etc.