Business documents/entities in SAP GRC use a common transaction manager to persist changes to their data model. This is realized by common interfaces, and the entity implementations are responsible for their own buffer and persistency management through these interfaces.

The GRC Entities like PROCESS, RISK etc. are enumerated in table GRFNENTITY.

You can also check maintenance view GRFNVENTITY in SM30 to see the entities together with their descriptions and settings.

The GRFNENTITY table has several key information from development perspective:

  • entity_id : grfn_api_entity_id <— RISK, PROCESS etc.
  • api_class : grfn_class_name; <— API class to work with the entity
  • component : grfn_app_component; <— RM, like Risk Management etc.
  • ci_name : grfn_ci_name; <— Customer include structure
  • ci_name_rep : grfn_ci_name_rep; <— Customer include structure for reporting

The easiest way of understanding how this – another one entity framework implemented again by SAP – works is showing some simple examples. Here is a sample report explaining the basics of SAP GRC programming.
Constants for programming GRC entities can be found in type pool grfn0_c_entity.

*&---------------------------------------------------------------------*
*& Report zsapdev_grc_api
*&---------------------------------------------------------------------*
*& Working with GRC Entity APIs - the basics
*&---------------------------------------------------------------------*
*& Author: Attila Berencsi, sapdev.eu
*& github.com/attilaberencsi
*&---------------------------------------------------------------------*
REPORT zsapdev_grc_api.

PARAMETERS:
  p_entity TYPE grfnentity-entity_id OBLIGATORY DEFAULT 'RISK', "Entity ID (Name)
  p_obj_id TYPE c LENGTH 32 OBLIGATORY DEFAULT '59999999'. "Entity key

START-OF-SELECTION.

  TRY.
      "---GENREIC API CODING---

      "GRC API Object ID is combination of the entity ID + a key value (NUMBER / GUID)
      DATA(grc_object_id) = CONV grfn_api_object_id( |{ p_entity }{ cl_grfn_api_ident=>c_separator_entity }{ p_obj_id }| ).

      "Get Entity ID from Object ID
      DATA(entity_id) = cl_grfn_api_ident=>get_entity_id( grc_object_id ).

      "Initialise transaction buffer of entity changes
      DATA(session) = cl_grfn_api_session=>open_daily( )."cl_grfn_api_session

      "Instantiate an API class of the given entity configured in SM30 GRFNVENTITY
      DATA(api_basis_if) = session->get( iv_object_id = grc_object_id ). "CL_GRRM_API_RISK implementing if_grfn_api_basis

      "All the entity API classes inherit from base class CL_GRFN_API_BASIS, which provides some basic features
      " like Managing notes attached to variety of entities.
      DATA(api_basis) = CAST cl_grfn_api_basis( api_basis_if ).

      DATA(note_api) = api_basis->if_grfn_api_basis~get_notes_history_api( ).

      note_api->add(
        iv_text          = |Comment 4|
        iv_regulation_id = if_grfn_api_regulation=>gc_gen_reg_rm
      ).


      "---ENTITY SPECIFIC API CODING---
      DATA(risk_if) = CAST if_grrm_api_risk( api_basis_if ).
      risk_if->retrieve(
        EXPORTING
          iv_editable = abap_true "select for update (lock)
        IMPORTING
          es_risk_data    = DATA(risk_data)
          es_risk_status  = DATA(risk_status)
          es_risk_attr    = DATA(risk_attr)
      ).

      risk_data-risk_title = |Yogi Bear|.

      risk_if->update(
        EXPORTING
          is_risk_data        = risk_data
          iv_full_check       = abap_false
      ).

      "Persist transaction =  invokes all API Model classes registered in the session to save data
      session->save( ).
      session->close( )."Useless

    CATCH cx_grfn_exception INTO DATA(ex_api). " Generic GRC API exception
      DATA(messages) = ex_api->status.
      BREAK-POINT.
  ENDTRY.


  "Not all entities have human readable IDs however, like Cases. The Object ID contains the entity ID+GUID combo, this method returns You the GUID
  "DATA(guid) = cl_grpc_api_services=>get_guid( object_id ).

Look in and around the API classes what else You can do with an entity, like queries, actions and validations.