SAP GRC Access Control Tables

In SAP GRC, various tables store data related to Governance, Risk, and Compliance. Here are some key tables used in different components of SAP GRC:

Request related tables

GRACREQ – Request details table

This table will provide the information about Request ID, Request Type, Request Creation Date and Request Priority. (Note: You can also get UAR request details from this table)

GRACREQUSER – GRC Request User details table

This table will provide the information about user for whom GRC request has been raised and provides details about User ID, User First Name, User Last Name and User Email ID

GRACREQPROVITEM – GRC Request Line Item Details

This table will provide the information about the request and the below Line Items in the request with their corresponding VALID FROM and VALID TO dates.

Role System Fire Fighter Id User Profile PD Profile Firefighter Role

GRACREQPROVLOG – GRC Request Provisioning Logs

This table will provide the information about the request and the Line Items in the request with their provisioning status (Success or Failure or Warning)

GRFNMWRTINST – GRC Request Instance Details

This table will provide the information about the request and its corresponding instance status.

GRFNMWRTDATLG – GRC Request Line Item Approval Status

Get the details of Instance ID from GRFNMWRTINST table by passing the request number in “EXTERNAL_KEY_DIS” field. Based on the Instance ID you can get the details of each Line Item approval status in the request, Path ID, Stage Sequence Number and Approver User column in this table gives the details of the approvers.

Based on Path ID you can get the stage details by using the tables “GRFNMWCNPATH” and “GRFNMWCNSTG”

GRFNMWRTAPPR – Current Approver for Request Line Items

This table will provide the information about the request and current approvers for corresponding Line Items in the request.

GRFNMWRTMSGLG – Workflow Instance Message Logs

This table hold all the details about the message number and variables and these are used by code logic and data is displayed in audit logs of access requests. You can ask your ABAP programmer to use this table as reference to pull out the required details for Audit logs.

Class:?CL_GRFN_MSMP_INSTANCE_MODEL Method:?GET_INSTANCE_AUDIT_MESSAGES

GRACROLE & GRACROLEAPPRVR

These tables will provide the information about the roles and their corresponding role owners maintained in BRM.

GRACRLCONNVAL

This table will provide you the details about Auto provisioning status for a role

HRUS_D2 – Approver Delegation Table

This table will provide the information about the delegated approvers in GRC

GRACSTDROLE and GRACSTDROLESYS

These tables will provide the information about the default roles maintained in GRC.

GRPCCHKO and GRPCPHIO – GRC Request Attachment Details

These tables will provide the information about the attachments in the GRC request.

Get Request ID for a GRC request from GRACREQ Table

Input Request ID retrieved above in the field PROP08 of table GRPCPHIO.Get PHIO_ID from GRPCPHIO table. This table also gives attachment description details.

Input PHIO_ID to table GRPCCHKO. This table will provide Attachment Name and Type details.

Mitigating Control Vs. Risk/Monitor/Approver Details

Retrieve OBJID from table HRP5354 by inputting the Mitigating Control ID in SHORT_KEY1 field

Retrieve KEY 1 and KEY 2 from HRT5320 by passing OBJID retrieved above into T_OBJID field which will give Risk/MC Monitor/MC Owner Details

Mitigating Control Short Text and Long Text

Short Text

Retrieve “OBJID” from table HRP5354 by passing Mitigating Control ID into “SHORT_KEY1” field

Retrieve ‘STEXT’ from table HRP1000 by passing ‘OBJID’ value retrieved from above table

Long Text

Retrieve “OBJID” from table HRP5354 by passing Mitigating Control ID into “SHORT_KEY1” field

Retrieve “TABNR” values by sorting ‘AEDTM’ and take the latest last modification date from table HRP1002 by passing PLVAR = ’01’, OTYPE = ‘P2’, OBJID = value retrieved from above table and SUBTY = ‘0001’

Retrieve “TLINE” values from table HRT1002 by passing TABNR value retrieved from above table

Risk Long Text

Class: CL_GRFN_SAPSCRIPT

Method: RETRIEVE_STRING

Pass following values:

IV_LANGUAGE = EN IV_OBJECT_ID = SOD_RISK/<RiskID> IV_CLASS = LTXT IV_TOKEN = RSK IV_APPLICATION = GRC

Control Assignment request Items table

GRACMITMSMPVALI – This table will have the Control Assignment request and corresponding Lineitems of that request.

MSMP Instance and External Key in this table are referenced from GRFNMWRTINST table.

Mitigating Controls related tables

GRACMITUSER – mitigating controls assigned to User Level Risk violations

GRACMITUSERORG – mitigating controls assigned to User Org Level Risk violations

GRACMITROLE – mitigating controls assigned to Role Level Risk violations

GRACMITROLEORG – mitigating controls assigned to Role Org Level Risk violations

GRACMITPROF – mitigating controls assigned to Profile Risk violations GRACMITOBJECT – mitigating controls assigned to HR Objects Risk violations

Mitigation-Violation Tables for Access Request (temporary storage while workflow is running)

GRACMITUSERAR –?stores mitigating controls assigned to User Level Risk violations during Access Request approval process. Once request is finished, if access is provisioned, mitigations are transferred to GRACMITUSER

GRACMITUSERORGAR –?stores mitigating controls assigned to User Org Level Risk violations during Access Request approval process. Once request is finished, if access is provisioned, mitigations are transferred to GRACMITUSERORG

GRC User Access Review (UAR) related tables:

GRACREQ –?This table will provide the information about Request ID, Request Type, Request Creation Date and Request Priority for UAR requests also.

GRACREJREASON?– REJECTION reasons for UAR requests are stored in this table.

GRACREVCORDMAP?– This table will store the Reviewer – Coordinator mapping defined in GRC system.

GRACOWNER - Master Table for Central Owner Administration

GRAC_S_REQUEST_RULE_HEADER - Contains Request Header information

GRAC_T_REQUEST_RULE_HEADER - Contains Request Header information

GRAC_S_REQUEST_RULE_LINE - Contains Access Request Line Item informations

GRAC_T_REQUEST_RULE_LINE - Contains Access Request Line Item informations

GRFN_MW_S_AGENT_ID - Result – Agent Rule

GRFN_MW_T_AGENT_ID - Result – Agent Rule

GRACREVITEM?– For GRC access requests, the line item details can be retrieved from table GRACREQPROVITEM. Similarly for UAR requests, the line item details can be retrieved from table GRACREVITEM.

This table will provide the information about the UAR request and the lineitems with details mentioned below:

User ID – Connector – Review Item ID (Need to use GRACROLE to get the review item name which is role name) – Review Item usage.

GRACREVREJUSER?– This table stores details of users rejected in UAR requests with the correpsonding rejection reasons referenced from tables GRACREJREASON and GRACREJREASONT.

GRACREQPROVLOG?– GRC Access Request Provisioning Logs

The same table will provide the information about the UAR requests and the Line Items in the request with their provisioning status (Success or Failure or Warning)

GRC Emergency Access Management (EAM) related tables:

GRACFFOWNER / GRACFFOWNERT –?This table will store the mapping between Firefighter ID Owners and? corresponding Firefighter IDs

GRACFFCTRL –?This table will store the mapping between Firefighter ID Controllers and corresponding Firefighter IDs along with the log delivery options (Email, Workflow or Log Display) for the controller. If the delivery option is left BLANK then by default the option considered is “Log Display”.

GRACFFOBJECT / GRACFFOBJECTT –?This is the master table which stores details of all Firefighter IDs in various ABAP systems and also stores the last logon date of Firefighter IDs.

GRACFFUSER / GRACFFUSERT –?This table will store the mapping between Firefighter IDs and? users assigned to those Firefighter IDs

GRACREASONCOD / GRACREASONCODT –?This is a master table will store the details of all EAM reason codes, reason code descriptions and status.

GRACREASONSYS –?This table will store the mapping between reason codes and corresponding target connectors

GRACFFLOG –?When Firefighter Log Sync job is executed the details of Firefighter ID, Firefighter User, Logon and Logoff time, Reason Code used and Workflow Status (whether sent or not) are updated in GRACFFLOG table.

GRACFFREPMAPP –?For every entry in GRACFFLOG table, if the corresponding transaction usage details are synced to GRACACTUSAGE table, then the mapping between FF LOG ID in GRACFFLOG table and ACTION ID in GRACACTUAGE table is stored in GRACFFREPMAPP table.

SAP GRC will capture the following logs during a Firefighter session and creates an automated workflow request for log review by Firefighter ID controllers.

Transaction Logs:?Retrieves transactions executed by the Firefighter ID from transaction STAD and then stores them in GRACACTUSAGE table

Change Logs:?Retrieves all the change logs based on activities performed by the Firefighter ID from change document tables CDPOS, CDHDR and DBTABLOG and then stores them in GRACCHANGELOG table

System Logs:?Retrieves all the system logs based on activities performed by the Firefighter ID from transaction SM21 and then stores them in GRACSYSTEMLOG table

Security Audit Log:?Retrieves all security audit Logs for the activities performed by the Firefighter ID from transaction SM20 and then stores them in GRACAUDITLOG table

OS Command Log:?Retrieves changes to OS commands by the Firefighter ID from transaction SM49 and then stores them in GRACOSCMDLOG table

Please connect and follow me for the next upcoming informative articles.

Cheers :)