This blog contains experience gained over the years of implementing (and de-implementing) large scale IT applications/software.

HowTo: List all SAP transaction codes in roles

Scenario: As part of your internal auditing or general processes, you require a list of all transactions that are assigned to roles.

At first thought, this may be easy. You could try to use the SUIM transactions, but you will find that you are only able to list one role at a time and you are not able to see all transactions assigned to all roles in one display.
The only way that you can easily do this is either using the SAP internal query tools (such as quickviewer) or via the database tools directly.

Since SAP do not recommend accessing the database directly, it makes sense to use the SAP tools already provided.
If you do choose the direct database method, then you will need to know that the query you would need will look something like this:

SELECT agr_name,
       low,
       high
  FROM agr_1251
 WHERE agr_name = '<YOUR ROLE NAME>'
   AND object='S_TCODE';

We will use the SAP quickviewer (transaction SQVI) as this is the preferred method.
Unfortunately, the transaction has a downside, in that you can’t transport the query directly.
Instead, it’s possible to generate a program from the query, copy it and create your own “Z” report that you can transport.

In transaction SQVI, create a new query called “TCODES_IN_ROLE” or whatever you think is an appropriate name:

Add a description for the query and then add the fields:

Role Name (AGR_1251-AGR_NAME)
Authorization Value (AGR_1251-LOW)
Authorization Value (AGR_1251-HIGH)
Auth Object in User Master Maintenance (AGR_1251-OBJECT)

SAP transaction codes in roles

You can adjust the sort sequence on the “Sort Sequence” tab if you wish.

On the “Selection fields” tab, you can indicate which fields the user is able to use to narrow the query selection (set the predicates).

Save the query and then execute:

SAP transaction codes in all roles

On the previous screen, the option to generate the program exists:

Listing SAP transaction codes in roles

Choose the “Display report name” option (shown on the menu selection above) to then display the subsequently generated program name:

Now display the report source code in SE38:

You can now copy the report to your own “Z” report and modify as required.
This can then be transported.

WARNING: Since this report exposes detailed information on the structure of your roles, you should ensure that you secure it by assigning it to an authorisation group accordingly.

HowTo: Query to show SAP roles and transaction codes by user

Scenario: You have been requested to provide a list of all roles currently assigned to your SAP user accounts, plus the transaction codes that are assigned to each role and user account.

HINT: To be able to do this within SAP, you can use the SAP QuickViewer (SQVI) to create a query and join the required tables. You could then generate a program and then copy it to create your own Z-report.

Using the following Oracle SQL*Plus query at the database level, will allow you to produce a report containing the USERNAME, ROLENAME, TCODE_RANGE_START and TCODE_RANGE_END.

set linesize 500 pagesize 9999 newpage none recsep none
SELECT u.uname USERNAME,
               r.agr_name ROLENAME,
               r.low TCODE_RANGE_START,
               r.high TCODE_RANGE_END
  FROM agr_1251 r,
       (select mandt,
               uname,
               agr_name
          from agr_users) u
 WHERE r.agr_name = u.agr_name
   AND r.mandt = u.mandt
   AND r.mandt = <YOUR CLIENT>
   AND r.object='S_TCODE'
ORDER BY u.uname,r.agr_name,r.low,r.high;

NOTE: You should adjust “<YOUR CLIENT>” to be the client number you wish to check.

You should note that TCODE_RANGE_START and TCODE_RANGE_END could contain wild cards as per the usual methods of providing a range of values to an authorisation object in PFCG.