Governance, Risk and Compliance
Page tree
Skip to end of metadata
Go to start of metadata

Purpose

This document is to explain the details on how the change data is captured as a part of Firefighter login session. This explains what Tables and Function Modules are called to capture the changes made under any transaction.

Overview

Firefighter application tracks the activity performed during the Firefighter Login session. For any change activity performed during the Firefighter logon session, the application pulls the change logs from the SAP Standard Tables like CDHDR and CDPOS. Here is the detailed description of the Function Modules used to fetch the change data.

Please note: Changes done via SE16N are usually logged in table SE16N_CD_DATA and SE16N_CD_KEY.

Table logs are currently not part of the Firefighter logs, but can be evaluated via RSTBHIST (report). Kindly monitor for the updates via SAP notes if this data would be captured by GRC in future.

SAP Statistical file STAD, along with standard SAP Function Modules

Firefighter Background job "/VIRSA/ZVFATBAK" in 5.3 and "GRAC_SPM_LOG_SYNC_UPDATE" in 10.0, picks the data from STAD file and some other tables and stores this data in the GRC Firefighter tables.

The Firefighter background job captures three types of logs. Below is the detail on three types of logs captured by the Firefighter background job:

  • Session Log usually referred to as 'slog'.

Session log provides information related to the Login Date and Time of all the Firefighters for a given FFID.

  • Transaction Log referred to as 'tlog'. It relates to the transactions TCODES executed by a Firefighter during the Firefighter login session using a particular FFID.
  • Change Log relates to all the Changes made under the transactions TCODES executed by a Firefighter during the Firefighter session, using a particular FFID. This is commonly referred to as 'clog'.

Logic for Fetching the Change Log data.

"/VIRSA/ZVFATBAK" for 5.3 and "GRAC_SPM_LOG_SYNC_UPDATE" in 10.0 captures the Change Log data 'clog' for basic Transactions i.e. PFCG, SU01 & SE38.

The Change Log data is captured using the Standard SAP Function Module "CHANGEDOCUMENT_READ". In addition to this, below is the detail on how the change data is captured for the transactions like PFCG, SU01 & SE38:

- PFCG : Data for PFCG is picked in two phases.

First Phase the data is picked from following tables:

  AGR_DEFINE - First this table is checked for last time of change.
  USH10 - Then we check this table for change history of Auth Profiles for checking 'Last Changed by'.
  AGR_1016B - Then we pick data from this table based on output of table USH10. Since there were none in above example, so no data is picked from this table in above example.

Second Phase data is picked using SAP standard function module:

CHANGEDOCUMENT_READ

- SU01: Data for SU01 is also picked in two phases.

 First Phase the data is picked from following tables:

  USH02 - This table contain Change history for logon data.
  USH04 - This table contain Change history for authorizations.

  USR04 - This table contain which were the user changed by FF id

Second Phase data is picked using SAP standard function module:

CHANGEDOCUMENT_READ

- SE38: Data for SE38 is also picked in two phases.

First Phase the data is picked from STAT file.

Second Phase data is picked using SAP standard function module:

CHANGEDOCUMENT_READ.

Related Content

Related Documents

Related Notes

SAP Note 1394281: Superuser Privilege Management Log Report Content

  • No labels