Transactions

Further
Transaction Description Key Area Why is this useful? details, links,
etc.

Launch launch NWBC HTML. You will

NWBC Netweaver All need to have work centre roles
Business Client assigned or build you own.

Self explanatory - configuration

SPRO Customizing All entry point for both GRC and
plug-in systems

Upload a huge number of

Upload mitigation (user, role, profile) in Mass change
GRAC_UPLOAD_MIT_ASGN Mitigation ARA one shot. You can either append of Mitigation
Assignments your current mitigations or Assignments
overwrite.

Download Download a huge number of Mass change

GRAC_DWLOAD_MIT_ASGN Mitigation ARA mitigation (user, role, profile) in of Mitigation
Assignments one shot. Assignments

MSMP MSMP Workflow Configuration -

GRFNMW_CONFIGURE_WD Workflow WF standard view (web dynpro will
Configuration launch)

SAP GUI expert mode to

configuration workflow
configuration. Do not use this
transaction if you not familiar or
MSMP Workflow strong with MSMP configuration
GRFNMW_CONFIGURE WF
Config Expert as you will risk corrupting your
build. This is useful if you need to
retransport or transport all of the
MSMP in one go as you can
select it like an IMG table.

Comprehensive view of the

workflow execution for MSMP
evaluation including Stage/Path
MSMP Instance calculation, provisioning notes,
GRFNMW_DBGMONITOR_WD WF
Runtime Monitor notifications and agents. This is
useful for an Administrator to
track issues with an MSMP after
a request has been submitted.

Unlikely you will need to go into

this transaction as the Worfklows
Workflow
SWDD WF for SAP are out of the box and
Builder
MSMP is used. You can identify
the MSMP integration from here.
 SAP standard workflow. This will
allow you to check the current
Workflow and Task numbers. If
the MSMP Instance Runtime
shows the workflow is completed
SWIA WF
but SWIA is not completed then
there is an issue with the
workflow configuration. Check
Marketplace incase there is a
correction.

Mass Role
Import from
GRAC_ROLE_MASS_IMPRT BRM
Backend
System

Cleanup EAM Program to clean up EAM

GRAC_SPM_CLEANUP EAM
Application Data tables.

For centralized firefighting, you

use GRAC_EAM to open the
EAM Launchpad on the GRC
system. For decentralized
firefighting, you use
/GRCPI/GRIA_EAM to open the
EAM Launchpad on the plug-in
GRAC_EAM/GRAC_SPM and
EAM Logon Pad EAM systems. The launchpad for
/GRCPI/GRIA_EAM
centralized firefighting displays
all the plug-in systems to which
you have access. The launchpad
for decentralized firefighting
does not display any systems
because it allows you to access
only the current plug-in system.

This is available in the IMG

navigation and allows you to
Upload Access import the rule set. Note, if you
GRAC_UPLOAD_RULES ARA
Control Rules have workflow activated for you
ruleset it will not trigger
workflow.

Utility for copying SOD rules from

Copy Access
GRAC_COPY_RULES ARA one system to another of same
Control Rules
type.

This is available in the IMG

navigation and allows you to
Delete Access delete the rule set. Note, if you
GRAC_RULE_DELETE ARA
Control Rules have workflow activated for you
ruleset it will not trigger
workflow.
 This is available in the IMG
navigation and allows you to
download the rule set.
Download
Recommend you save a
GRAC_DOWNLOAD_RULES Access Control ARA
selection variant with the file
Rules
name and paths so you do not
have to continually maintain
them.

This is available in the IMG

navigation and allows you to
Generate mass generate the rules. You
GRAC_GENERATE_RULES Access Control ARA can also execute this via NWBC,
Rules however, this program would
allow you to schedule in
background via SM36/37

Transport This is available via IMG

GRAC_RULE_TRANSPORT Access Controls ARA navigation and allows to mass
Rules transport the rule set.

Export Risk
Analysis Data
Program to download the results
GRAC_EXPORT_RA (e.g. when the ARA
of the risk analysis to a local file.
file is too big for
the web)

This is available in the IMG

navigation and triggers the
Risk Analysis in
GRAC_BATCH_RA ARA program for you to schedule
Batch Mode
batch risk analysis. Ensure your
configuration parameters are set

Build MSMP rules (usually

GRAC_GENERATE_RULES WF BRF+). Refer to comment below
for creating application first.
Build the BRF+ Rules for BRM
role methodology and approval
conditions groups. Note, before
running to to BRF+ and create a
GRAC_GEN_ERM_BRFRULE WF/BRM shell application that has been
assigned to a transport and
activated. Use this application in
your definition. If not, it gets
created in $TMP

Alternative transactions: BRF+

and FDT_Workbench. You can
BRFplus
BRFPLUS WF maintain the BRF+ rules here
Workbench
and transport through to
Production.

STZAD Customizing BC Discuss with Basis before

 Time Zones making any changes to timezone
as it can impact EAM log
collections, etc.

Application log display. It is

Display useful to track error messages.
SLG1 BC
Application Logs Most GRC authorisations errors
will show in the application log

SAP
Documentation
SE61 All Document maintenance.
(Email
templates, etc.)

This transaction enables you to

SE63 Translations All directly translate individual
objects.

Activate BC
Sets -
Business
Activate BC
SCPR20 Basis Activation of BC Sets. Configuration
Sets
Sets (BC-
CUS) - SAP
Library

Maintain
PPOM Organizational Basis Maintain Organizational Plan
Plan

Check if there has been an issue

with sending on email
SAPconncet notifications or reprocess
SOST/SOSB Tcode SOST
Send Requests requests. Transaction SOSB can
be restricted to limited
functionality.

Configuration of SAPConnect.
Discuss with your Basis team.
Take care in enabling in Non-
Production environment so you
SAPconnect do not accidentally send emails
SCOT Basis
Administration to users and add confusion. If
enabled for Non-Prod,
recommend you put dummy
email addresses on the user
accounts.

Trace for an application server.

ST01 is useful for authorisation
ST01/STAUTHTRACE/ST05 System Trace checks and include database
calls, kernel and RFC.
STAUTHTRACE is new version
 for security tracing with ALV
functionality and drill down
(heaps easier to intepret than
ST01). ST05 comes in handy to
trace SQL calls to find the table
where information has been
stored.

You can access this in display

mode only. It can be a quick way
to find which tables your data is
stored in. Go into the NWBC
SM12 Enqueue Locks Basis
screen in change mode so it puts
a lock on the tables. Open a new
session and go to SM12 to find
the tables.

Display
EAM FF logs import STAD
STAD Statistics for all Basis
information
systems

Ability to change client setting to

enable cross-client changes. Do
not make changes to these
settings without discussing with
Client
SCC4 Basis. Depending on your
Administration
landscape strategy you may
need to maintain some IMG
settings directly in the client
(such as integration framework)

Import and apply SAP Notes.

You will need to check with your
company's policy for note
application responsible. If you
have not applied and OSS note
before, it is strongly
SNOTE Note Assistant BC
recommended your talk to your
developer or Basis to learn
about pre-requisite and post-
processing activities. In some
cases, a developer key will be
necessary.

Transport
SE01/SE09 BC Manage your transports
Organizer

Transaction to easily browse

SE16 / SE16N Data Browser
thru data tables.

Lock Lock transaction to prevent

SM01 SEC
Transactions users (even if authorised) from
 executing the transaction.
Usually security is responsible
for this activity.

GRC Access Controls uses a job

Schedule
scheduler via NWBC. SM36 jobs
SM36 Background BC
for connector sync,etc can be
Jobs
set up via SM36

Allow you to view background

Overview of
jobs. All jobs runtimes will show
SM37 Background BC
here, even if scheduled via
Jobs
NWBC.

SA38 ABAP Reporting ABAP Execute SAP ABAP programs.

SE38 ABAP Editor ABAP Program Editor

SAP Development workbench,

Object
SE80 ABAP most development functionality
Navigation
is available from this transaction.

MSMP SAP standard rules are

usually function modules. You
can look at the code if you want
SE37 ABAP Function ABAP to better understand what is
being evaluated. Also comes in
handy for break point if you need
to debug.
useful if you need to check the
SE24 ABAP Class ABAP code and add a breakpoint to a
method

Task
OOCU
Customizing

RFC connections have to be

defined as a logical system
BD54 Logical Systems Basis (usually same name) to then
reference in the integration
framework configuration

RFC
SM59 Basis RFC Configuration
Destinations

View the number of background

work process available to define
SM66/SM50 Workprocess Basis as part of the integration
framework for background job
processing
User Information Reporting
SUIM SEC
system

Report shows a list of all

Transactions for
S_BCE_68001426 SEC transactions assigned to a user.
User
This is a very helpful report to
 identify critical transactions as
user has access to.

Report to find roles by complex

Roles by Role selection criterias. This report
S_BCE_68001418 SEC
Name can be used to find roles by
description, etc.

Report shows a list of all roles

Roles by User assigned to a user. This is very
S_BCE_68001419 SEC
Assignment helpful to have an overview of all
authorized roles a user have.

Reports shows a list of all roles

Roles by that includes a specific
S_BCE_68001420 Transaction SEC transaction. This is very helpful
Assignment to easily find possible roles to
assign a transaction.

Discuss with Basis and Security

before activating these as it
poses a security risk. If you
receive a 403 Forbidden error in
NWBC it means a service needs
to be activated for the
SICF HTTP Services BC
webdynpro. You can also test
the services here. For PSS/End
User Login screens, the SICF
services need to be configured
with the Service Account
Username and Password stored

User + Role + Profile

GRAC_REP_OBJ_SYNC Object Rep Sync All
Synchronization Job
GRAC_USER_SYNC User Sync All User Synchronization Job
GRAC_ROLE_SYNC Role Sync All Role Synchronization Job
Role Usage
GRAC_ROLE_USAGE_SYNC All Role Usage Synchronization Job
Sync
Action Usage Action Usage Synchronization
GRAC_ACT_USAGE_SYNC EAM/ARA
Sync Job
GRAC_PROFILE_SYNC Profile Sync All Profile Synchronization Job
Authorization data
GRAC_AUTH_SYNC Auth Sync All
Synchronization Job
Emergency Access Management
GRAC_SPM_SYNC EAM Sync EAM
Master Data Synchronization Job
Emergency Access
EAM Workflow
GRAC_SPM_WF_SYNC EAM Managmement Workflow
Synchronization
Synchronization Job
Emergency Access Management
GRAC_SPM_LOG_SYNC EAM Log Sync EAM
Log Synchronization Job
 These transactions show all the
relationships between objects in
the structure considering the
timeframe of each object and the
timeframe of the relationship.

Both are considered super

transactions which are really
sensitive. They are exclusive
GRFN_STR_DISPLAY / Org Structure GRC transactions to check
All
GRFN_STR_CHANGE Expert Change Objects Hierarchy. The point of
GRFN_STR_CHANGE is that
within this transaction you can
change master data that you
could not using UI. It means that
the structure change transaction
is not recommended as you can
cause severe data inconsistency
in the system if you use it without
knowing it.
5 Role
Maintenance in
Role Role maintenance to create and PFCG - SAP
PFCG Basis
Maintenance edit roles. NetWeaver
Business Client
- SAP Library
User
SU01 Basis User maintenance
Maintenance
Data browser to view/add table
SE16 Data Browser Basis
data
SE16 and SM30 essentially give
direct access to tables
information. SM30 is restricted in
a way that you cannot use the
SM30 interface to view all the
tables. Only tables with a
maintaince dialog defined can be
View
SM30/SM31/SM34 Basis accessed through SM30. But
Maintenance
there is no restriction on the
access to tables in SE16 as long
as u have access to the
authorization group pertaining to
the table you will be able to
access the information through
SE16.
MSMP Power
GRFNMW_ADMIN WF
User / Debug
 MSMP Process
GRFNMW_CN_VERA Active Version WF
Maint.
MSMP Process
GRFNMW_DEBUG WF
Debug Settings
MSMP Process
Debug
GRFNMW_DEBUG_MSG WF
Messages
Settings
MSMP
GRFNMW_DEV_CONFIG Development WF
Configuration
MSMP Rule
GRFNMW_DEV_RULES Generation / WF
Testing
Generate version is useful to run
Generate after you import a transport (post
GRFNMW_GEN_VERSION Versions for WF processing activity) instead of
MSMP Config going into MSMP screen to
activate.
MSMP Workflow Monitoring of the MSMP
GRFNMW_MONITOR WF
Monitoring Workflow statistics.
End user form
GRAC_ENDUSRFORM_SICF
SICF service
Maintain EAM
GRAC_FFOBJ_DSC_MAINT FF Object
Description
Firefighter Object
GRAC_FFOBJ_DSC_MNT1
Maintenance
IDM Schema
GRAC_IDM_SCHEMA_SYNC
Update
AC10 Data Program to migrate data from an
GRAC_DATA_MIGRATION
Migration earlier version.
Delete Report
GRAC_DELETE_REPORT_S
Spool data
This program is used to monitor
Batch Risk
GRACRABATCH_MONITOR the execution status of a running
Analysis Monitor
batch risk analysis.
SAP GRC AC
GRAC_ALERT_GENERATE Alert Generation Program that generates alerts.
10.0 Alerting
Offline analysis is not real-time
data but is dependent on the date
Online vs.
Risk Analysis In of the last Batch Risk Analysis.
GRAC_BATCH_RA Offline Risk
Batch Mode The Batch Risk Analysis is run as
Analysis
background job in GRC by using
transaction GRAC_BATCH_RA.
Programs
Further details, links,
Program Description Why is this useful?
etc.

Very helpful to
easily delete
expired
Program to merge the assignments or to
assignments of identical clean up the
users and roles, provided assignments after
the validity periods overlap a system copy.
PRGN_COMPRESS_TIMES Before Initial Load
with one another or Please note that
immediately follow each this program
other. Also you can delete should not be run
expired assignments. if you have ARQ
in place for
business roles
provisioning.

Timezone changes
Troubleshooting Support
TZCUSTHELP best practices - Basis
for Time Zone Settings
Corner - SCN Wiki

Timezone changes
Check Time Zone Data for
TZONECHECK best practices - Basis
Consistency
Corner - SCN Wiki

Synchronization of
Synchronization of SAP SAP User
User Administration with Administration with
RSLDAPSYNC_USER
an LDAP-Compatible an LDAP-Compatib -
Directory Service Identity Management
- SAP Library

Job User to send Email

reminders to approvers
GRFNMW_BATCH_EMAIL_REMINDER
based on number of days
and frequency

This program was useful

for deleting non-actionable
GRFNMW_BATCH_STALE_REQUEST old requests from the
system as housekeeping
activity

This job used for sending

RSCONN01 email (and other types of
communication items)

Download roles data for

/GRCPI/GRIA_DNLDROLES
mass import

Tables
 Table Description Why is this useful? Further details, links, etc.

GRACREVREJUSER UAR Rejected Users

GRACREJREASON UAR Rejected Reasons

GRACREJREASONT UAR Rejected Reasons Texts

USR02 User Logon Data

GRACOWNER Master Table for Central Owner Administration