Non-archiving solution for GRACAUDITLOG data cleanup in SAP GRC

Estimated read time 10 min read

Objective: The purpose of this blog is to explore non-archiving solutions for cleaning up GRACAUDIT data in SAP GRC. It aims to provide SAP GRC professionals with effective strategies to manage and reduce the size of the GRACAUDITLOG table, enhancing system performance without relying on traditional data archiving methods. By the end of this blog, reader will gain insights into alternate proactive cleanup methods and best practices for maintaining an optimized and efficient GRC system.

Problem Statement: The GRACAUDITLOG table reaching around 1 billion records in SAP GRC due to the accumulation of audit log data. This can lead to several issues, such as decreased system performance, increased storage costs, and longer processing times for audits and reports. While traditional archiving methods are commonly used to manage this data, they may not always be suitable or sufficient for organization that need to retain specific audit logs for compliance or reporting purposes. The challenge lies in finding efficient, non-archiving solutions to cleanup and manage the GRACAUDITLOG table without compromising system performance, data integrity or compliance requirement.

Analysis:

We have analyzed the root cause of this problem and found an alternate solution to overcome from this challenge. Apart from archive method there is an SAP standard program GRAC_SPM_CLEANUP in GRC this delete the data from GRACAUDITLOG table.

Further, I have checked the functionalities and found that the GRAC_SPM_CLEANUP program is deleting the whole data from some EAM related database tables irrespective of the given selection criteria. This is happening only, if you run the program in change mode and the logic cannot find the given entries in the respective database table. Then implemented a correction SNOTE 0003427520 into your GRC system to fix this issue in GRC12 SP17.

However, recommend that the usage of GRAC_SPM_CLEANUP program. This program deletes audit relevant information form EAM related tables, without ensuring the chance of restoring the data. 

Instead of this program, we could use the GRACEAM archiving solution to remove the data from GRACAUDITLOG table. This is a safe and compliant way to remove the data from EAM tables. You can check the corresponding tables in the SARA transaction, if you select the “GRACEAM” for archiving object and press the “Database Tables” button. 

Solution:

To address the challenges associated with the growing GRACAUDITLOG table in SAP GRC, SAP has delivered a standard program GRAC_SPM_CLEANUP to delete the entries from SAP standard tables and mainly the tables are related to EAM. With our initial testing, there was a bug identified in the program where even after providing specific SAP system, program is deleting data for all SAP systems. To fix this bug implement below SNOTE to delete EAM related data for a specific connector and a specific timestamp.

3427520 – GRAC_SPM_CLEANUP report delete whole database table unexpectedly

By adopting this non-archiving solution, organizations can maintain optimal system performance, control storage costs an ensure compliance without relying solely on traditional archiving method.

Precaution: This program GRAC-SPM_CLEANUP is very sensitive and anyone with FFID can execute it and wipe out system data, so make sure that no one should be able to execute it with either their own ID or FFID. As precautionary measures restrict this program at Role level by creating a specific Role for this program and restrict it from all other roles and on-demand basis this should be assigned which is approved by GRC owner.

Testing:

Perform testing with the following possible scenarios to ensure that functionality of the program is working as expected.

Test#

Test Scenario

Test result

1

Delete SPM logs for specific connector only

FF logs are getting deleted only for the selected connector.

2

Delete SPM logs for specific timestamp range only

FF logs are getting deleted for the selected specific timestamp only

3

Delete SPM logs for specific connector and timestamp

FF logs are getting deleted for the selected specific connector and timestamp

4

Delete SPM logs for irrespective of connector and timestamp (just run it to test mode only)

Run this in test mode only which is working as expected, do not run it in change mode.

5

Check whether FF Log is deleted from ff log review workflow

FF logs are getting deleted from log review workflow

6

Check what tables are impacted apart from GRACAUDITLOG?

Impacted tables:
GRACFFLOG

GRACAUDITLOG

GRAFFREPMAPP

GRACSYSTEMLOG

GRACCHANGLOG

GRACOSCMLOG

Not impacted table:
GRACFFUSER

GRAFFOWNER

GRACFFCTRL

GRACACTUSAGE

GRACFFOBJECT

7

Check what reports are impacted while deleting SPM logs.

The below reports are impacted:
Firefighter Log Summary Report
Transaction Log and Session Details

8

Delete multiple SPM logs for specific connector and timestamp

The multiple FF LOG IDs are getting deleted for specific connector and timestamp.

9

Restrict access of this program GRAC_SPM_CLEANUP from User/FFID

No one should be able to execute it with either their own ID or FFID.

 

Impacted table: As part of GRACAUDITLOG table cleanup, the EAM logs data can be deleted in GRC system for specific connector and timestamp by executing GRAC_SPM_CLEANUP program, however, the following tables are also getting impacted.

GRACFFLOG

GRACFFREPMAPP

GRACAUDITLOG

GRACCHANGELOG

GRACSYSTEMLOG

GRACOSCMDLOG

Conclusion:

In summary, if the data is growing continuously in table GRACAUDITLOG in GRC system then it has direct impact on performance of the system as limited memory available in server. To avoid such issue in GRC system we can archive the data, however here we are exploring other option apart from archiving. There is an SAP standard GRAC_SPM_CLEANUP program which is deleting the whole data from some EAM related database tables irrespective of the given selection criteria (connector and timestamp). As per your GRC version and SP level (in my case version of GRC is 12.0 and SP17) implement a correction SNOTE which delete the EAM related data for a specific connector and a specific timestamp.

However, recommend that the usage of GRAC_SPM_CLEANUP program. This program deletes audit relevant information form EAM related tables, without ensuring the chance of restoring the data. 

 

​ Objective: The purpose of this blog is to explore non-archiving solutions for cleaning up GRACAUDIT data in SAP GRC. It aims to provide SAP GRC professionals with effective strategies to manage and reduce the size of the GRACAUDITLOG table, enhancing system performance without relying on traditional data archiving methods. By the end of this blog, reader will gain insights into alternate proactive cleanup methods and best practices for maintaining an optimized and efficient GRC system.Problem Statement: The GRACAUDITLOG table reaching around 1 billion records in SAP GRC due to the accumulation of audit log data. This can lead to several issues, such as decreased system performance, increased storage costs, and longer processing times for audits and reports. While traditional archiving methods are commonly used to manage this data, they may not always be suitable or sufficient for organization that need to retain specific audit logs for compliance or reporting purposes. The challenge lies in finding efficient, non-archiving solutions to cleanup and manage the GRACAUDITLOG table without compromising system performance, data integrity or compliance requirement.Analysis: We have analyzed the root cause of this problem and found an alternate solution to overcome from this challenge. Apart from archive method there is an SAP standard program GRAC_SPM_CLEANUP in GRC this delete the data from GRACAUDITLOG table.Further, I have checked the functionalities and found that the GRAC_SPM_CLEANUP program is deleting the whole data from some EAM related database tables irrespective of the given selection criteria. This is happening only, if you run the program in change mode and the logic cannot find the given entries in the respective database table. Then implemented a correction SNOTE 0003427520 into your GRC system to fix this issue in GRC12 SP17.However, recommend that the usage of GRAC_SPM_CLEANUP program. This program deletes audit relevant information form EAM related tables, without ensuring the chance of restoring the data. Instead of this program, we could use the GRACEAM archiving solution to remove the data from GRACAUDITLOG table. This is a safe and compliant way to remove the data from EAM tables. You can check the corresponding tables in the SARA transaction, if you select the “GRACEAM” for archiving object and press the “Database Tables” button. Solution:To address the challenges associated with the growing GRACAUDITLOG table in SAP GRC, SAP has delivered a standard program GRAC_SPM_CLEANUP to delete the entries from SAP standard tables and mainly the tables are related to EAM. With our initial testing, there was a bug identified in the program where even after providing specific SAP system, program is deleting data for all SAP systems. To fix this bug implement below SNOTE to delete EAM related data for a specific connector and a specific timestamp.3427520 – GRAC_SPM_CLEANUP report delete whole database table unexpectedlyBy adopting this non-archiving solution, organizations can maintain optimal system performance, control storage costs an ensure compliance without relying solely on traditional archiving method.Precaution: This program GRAC-SPM_CLEANUP is very sensitive and anyone with FFID can execute it and wipe out system data, so make sure that no one should be able to execute it with either their own ID or FFID. As precautionary measures restrict this program at Role level by creating a specific Role for this program and restrict it from all other roles and on-demand basis this should be assigned which is approved by GRC owner.Testing:Perform testing with the following possible scenarios to ensure that functionality of the program is working as expected.Test#Test ScenarioTest result1Delete SPM logs for specific connector onlyFF logs are getting deleted only for the selected connector.2Delete SPM logs for specific timestamp range onlyFF logs are getting deleted for the selected specific timestamp only3Delete SPM logs for specific connector and timestampFF logs are getting deleted for the selected specific connector and timestamp4Delete SPM logs for irrespective of connector and timestamp (just run it to test mode only)Run this in test mode only which is working as expected, do not run it in change mode.5Check whether FF Log is deleted from ff log review workflowFF logs are getting deleted from log review workflow6Check what tables are impacted apart from GRACAUDITLOG?Impacted tables:GRACFFLOGGRACAUDITLOGGRAFFREPMAPPGRACSYSTEMLOGGRACCHANGLOGGRACOSCMLOGNot impacted table:GRACFFUSERGRAFFOWNERGRACFFCTRLGRACACTUSAGEGRACFFOBJECT7Check what reports are impacted while deleting SPM logs.The below reports are impacted:Firefighter Log Summary ReportTransaction Log and Session Details8Delete multiple SPM logs for specific connector and timestampThe multiple FF LOG IDs are getting deleted for specific connector and timestamp.9Restrict access of this program GRAC_SPM_CLEANUP from User/FFIDNo one should be able to execute it with either their own ID or FFID. Impacted table: As part of GRACAUDITLOG table cleanup, the EAM logs data can be deleted in GRC system for specific connector and timestamp by executing GRAC_SPM_CLEANUP program, however, the following tables are also getting impacted.GRACFFLOGGRACFFREPMAPPGRACAUDITLOGGRACCHANGELOGGRACSYSTEMLOGGRACOSCMDLOGConclusion: In summary, if the data is growing continuously in table GRACAUDITLOG in GRC system then it has direct impact on performance of the system as limited memory available in server. To avoid such issue in GRC system we can archive the data, however here we are exploring other option apart from archiving. There is an SAP standard GRAC_SPM_CLEANUP program which is deleting the whole data from some EAM related database tables irrespective of the given selection criteria (connector and timestamp). As per your GRC version and SP level (in my case version of GRC is 12.0 and SP17) implement a correction SNOTE which delete the EAM related data for a specific connector and a specific timestamp.However, recommend that the usage of GRAC_SPM_CLEANUP program. This program deletes audit relevant information form EAM related tables, without ensuring the chance of restoring the data.    Read More Technology Blogs by Members articles 

#SAP

#SAPTechnologyblog

You May Also Like

More From Author