Skip to Content

Extracting authorization matrix from existing system

Dear friends,

Need your help for extracting authorization matrix from existing SAP ECC6.0 EHP7 system.


Our customer separated from parent company and built there own landscape using SAP system copy (heterogeneous). They got all specific data carved out from earlier SAP ECC system.

Now the earlier parent company has not provided any documentations of any process, customer do not have any authorization matrix and in absence of this dealing with security is really getting difficult.

Customer was asking me if there is a way out to fetch authorization matrix kind of stuff from the system itself. We can get some information that I'm aware of but fetching a whole lot of authorization matrix ?? I'm not sure how can we get this.

Please if someone can help me out with this.

Thanks in advance,


Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Jan 20, 2017 at 02:32 PM

    Hi Sujit,

    For starters you could download tables AGR_USERS and AGR_TCODES for all roles in AGR_USERS. With that you'll have input for a user-role matrix as well as a role-transaction matrix. AGR_1252 can also be usefull to see if and how the organizational structure is incorporated in the roles.


    Add comment
    10|10000 characters needed characters exceeded

    • I was going to suggest same thing to reverse engineer the design from key tables

      I would be doing a quick check of manual S_TCODE in AGR_1251 before relying on AGR_TCODES

      The other bit is to check AGR_DEFINE for imparting vs derived. If a role naming convention has been used might be able to see the pattern and then cross check AGR_1252 data for organisational splits

      Finally, AGR_1251 to look for non activity and non-asterisk values might provide an idea of specific areas that are being restricted (e.g. document types)