SAP GRC Access Control Tables

Posted by Andrea Mazzolani on Jan 6, 2023 8:15:00 AM
Andrea Mazzolani

Which are the tables of the SAP GRC Access Control product useful to know (out of the existing 2500)?


SAP GRC Tables

How could they be useful in your daily activities? When instead shouldn't they be used?


SAP GRC Access Control

Did you forget what this tool is used for? Read here.


Access Risk Analysis (ARA)

In this SAP GRC Access Control module, the rule matrix (ruleset) is the most important part:

  • GRACFUNC - Function
  • GRACFUNCT - Function Description Translations
  • GRACFUNCACT - Function Action Relationship
  • GRACFUNCPRM - Function Action Permission relationship
    • Where ACTIVE = X means that the row is active




  • GRACSODRISKFUNC - SOD Risk Function Relationship
  • GRACRULESET - Rule Set
  • GRACRULESETT - Rule Set Description
  • GRACORGRULE - Organization Rules
  • GRACACTRULE - SOD Action Rule Detail
  • GRACSODRISKT - SOD Risk Description
    • RISKTYPE = 1: SOD, 2: Critical Action, 3: Critical Permission




  • GRACMITROLE - Role mitigating control assignment
  • GRACMITUSER - User mitigating control assignment
  • GRACCRPROFILE - Critical Profile Rule
  • GRACCRROLE - Critical Role Rule
  • GRACBPROC - Business Process
  • GRACBPROT - Business Process Description
  • GRACMGRISKD - Risk Analysis Mgmt Sum data for Batch Risk Analysis.
  • HRP5320 - Defined mitigation controls
  • HRT5320 - Defined mitigation controls
  • GRACUSERPRMVL - User Permission Violation Table




Emergency Access Management (EAM)

In this SAP GRC Access Control module, the management of the super users or super roles is the most important part:

  • GRACFFLOG - Details related to Firefighter ID Log On Information
  • GRACFFREPMAPP - FFLOG and Repository Mapping for Firefighters
  • GRACACTUSAGE - Action Usage
  • GRACAUDITLOG - Security Audit Log table
  • GRACSYSTEMLOG - System Security Log table
  • GRACCHANGELOG - Data Change Log table
  • GRACREASONCOD - Master table for Reason Codes
  • GRACREASONSYS - Reason Code and System assignments
  • GRACFFCTRL - Maintain assignment of FF ID or Role to Controllers
  • GRACFFOBJECT - Maintain SPM Firefighter ID and Role details
  • GRACFFUSER - Maintain SPM Firefighter Assignment to FF ID/Roles


Business Role Management (BRM)

In this SAP GRC Access Control module, the roles management is the most relevant part:

  • GRACROLE - Role
  • GRACROLEAPPRVR - Role Approver
  • GRACROLESTATUS - Role Status Table
  • GRACROLETYPE - Role Type Table
  • GRACMTH - GRC Methodology
  • GRACMTHT - GRC ERM Methodology Text


Access Request Management (ARQ)

It is a component to manage the operational workflows inside the Access Control suite. This part is managed through the usage of Business Rule Framework BRF+ and of the work framework called MSMP - Multi Stage Multi Path.


  • GRACREQ - Request Header
  • GRACREQPROVITEM - Line Items Associated with Request
  • GRACREQUSER - User Associated with Request
  • GRACEUPCONFIG - End User Personalization Fields
  • GRFNMWCNROUTE - MSMP Route Mapping
  • GRFNMWCNSDEF - MSMP Stage Definition
  • GRFNMWRTAPPR - Current approver of Access Request (GRFNMWRTSTAPPR  only during runtime)
  • SWWUSERWI - Task ID assigned to users
  • HRUS_D2 - Delegation table


GRC Access Control Foundation

Some tables are shared between different modules, like the following:

  • GRACCONFIG - Configuration Parameter Table




  • GRACOWNER - Master table for Central Owner Administration
  • GRACTASKEXECSTMP - Executed background jobs Table, here you can find the last date of execution of the synchronization jobs
  • GRPCPHIO - GRC: Instances of Physical Information Objects, here you can find the information about the attachments to the requests


When is it useful to use and when they aren't?

In my opinion it's useful to use and know the tables for activities like troubleshooting and uploaded data.


It makes sense to create alternative reports to the standard ones? It depends. It could be useful as a control activity of the GRC configuration or to anticipate potential problems like:

  • Usage of roles without approvers in approval-based workflows
  • Problems in the SoD Matric (ruleset) read here for more information on the sod matrix
  • To verify the EAM configuration for the management of the super users


Basing further processes on data extractions from the tables directly inside the GRC system is probably non the best solution. It's not possible to immediately guarantee, in case of update or modifications of the system, the original result of the extractions.


What do I mean with that?


If I create an approval process outside of the GRC system but it's based on the information inside the system, these last ones in the phases of upgrade or modifications to the GRC system logics could change. Therefore, the initial requisite of the approval process could fail.


Iscriviti al blog se ancora non lo hai fatto!



Blog post originally translated from:


Topics: tabelle SAP grc access control, sap grc tables

Yes Subscribe!

Blog Aglea, what you could find out?

Every Friday a new post, interview or content related to SAP Security.

  • Tips on how to design SAP Security
  • How to
  • Checklist
  • Common error and pitfall on security SAP
  • Interview with experts
  • Who we are and Aglea vision on SAP Security

Recent Posts

Post By Topic

See all