How to find out who are all having access to a particular tcode in SAP system?
This article answers the following queries
- How to find out who are all having access to a particular tcode in SAP system?
- How to find out which user ids are having access to a transaction in SAP system?
- How to use SUIM tcode to identify users having access to a particular transaction in SAP system?
In some real time scenarios, if there is an emergency like, a change to a table to be done but particular end user doesnot have access to change the tables. Then they may approach basis administrator/security(authorization) consultant to identify those users who are having that access so that they can request them to change the same in case of emergencies. So, you should be able to identify those users and confirm to business users.
In general, basis/authorization consultant should be able to identify all user ids who are having access to a particular tcode. This can be done in the following way.
In this example, am demonstrating how to identify all the users who are having access to SE16 in a given SAP system.
Login to the SAP system and go to transaction SUIM as shown below :
In the above screen, please navigate to user -> users by complex selection criteria -> By Transaction Authorizations (This is highlighted in the). Select that and click F8 or clock symbol (highlighted) to execute. This results in the next screen as below :
In the above screen, type any transaction code, which you would like to find who are all the users having access for the same. In our example, it is SE16.
Once you input transaction code, click on highlighted clock button, which results in the following screen which displays the list of users who are having access for SE16 in this SAP system.
- How to find out who are all having access to a particular tcode in SAP system?
- How to find out which user ids are having access to a transaction in SAP system?
- How to use SUIM tcode to identify users having access to a particular transaction in SAP system?
In some real time scenarios, if there is an emergency like, a change to a table to be done but particular end user doesnot have access to change the tables. Then they may approach basis administrator/security(authorization) consultant to identify those users who are having that access so that they can request them to change the same in case of emergencies. So, you should be able to identify those users and confirm to business users.
How to find out who are all having access to a particular tcode in SAP system?
To find out who has access to a particular TCode
(Transaction Code) in an SAP system, you can use standard SAP
transactions and tables. Below are multiple methods depending on your role and
authorization in SAP:
To find out who has access to a particular TCode
(Transaction Code) in an SAP system, you can use standard SAP
transactions and tables. Below are multiple methods depending on your role and
authorization in SAP:
What is Client in SAP ?
How to Find Users with Access to a Particular TCode in
SAP
✅ Method 1: Using SUIM (User
Information System)
Steps:
- Go to
Transaction SUIM
- Navigate
to:
Users → By Complex Selection Criteria → By Transaction Authorization
- Enter
the TCode (e.g., VA01, SE38, etc.)
- Execute
(F8)
You’ll get a list of all users who have access to that
transaction via their roles.
✅ Method 2: Using Table AGR_1251
and AGR_USERS
If you're familiar with SAP tables or using SE16N/SE11:
Step 1: Find Roles with Access to TCode
- Go to SE16N
- Enter
table name: AGR_1251
- In
field S_TCODE, enter the transaction code (e.g., VA01)
- Execute
- This
shows you all roles that include the TCode
Step 2: Find Users Assigned to These Roles
- Go to SE16N
- Enter
table name: AGR_USERS
- Enter
the roles you got from the previous step
- Execute
- This
gives you the list of users assigned to those roles
Kuwait bus routes and numbers, bus route kuwait CityBus, KPTC, KGL Mowsalat. find Kuwait’s public transport Muscat خط الحافلات الكويت.
✅ Method 3: Using SUIM → Roles by
Transaction Assignment
You can reverse the logic:
- SUIM →
Roles → By Transaction Assignment
- Enter
your TCode
- Find
roles, then use SUIM → Users by Role to get assigned users
✅ Bonus: Using PFCG (Role
Maintenance)
- Go to PFCG
- Enter
a role and click Display
- Under
the Menu or Authorizations tab, see if the TCode is included
- Click User
tab to see assigned users
Tips for Accuracy
- Remember:
A user having a TCode in their role does not guarantee execution access.
Authorization objects (like S_TCODE, S_USER_TCD, etc.) also matter.
- Run SU53
after execution denial to debug access issues.
- Use ST03N
to check who actually executed the TCode (useful for audit).
SAP Client Creation (SCC4) & Logical system (BD54) in SAP
Here are the Top 10 Frequently Asked Questions (FAQs)
on the topic:
"How to find out who has access to a particular
TCode in SAP system?"
1. How can I find out which users have access to a
specific TCode in SAP?
Answer:
Use transaction code SUIM (User Information System) →
Roles → By Transaction Assignment, then input the TCode.
You can then find roles that have access to it, and which users are assigned
those roles.
2. Which transaction code is used to check user access
for a TCode?
Answer:
- SUIM
– For checking users, roles, and TCode assignments
- SE93
– To check the technical details of a TCode
- PFCG
– To review roles and authorizations
- ST03N
– To check who executed a TCode historically
3. Can I directly find a list of users who can execute a
specific TCode?
Answer:
Not directly. You need to:
- Identify
roles that include the TCode (SUIM → Roles by TCode)
- Find
users assigned to those roles (SUIM → Users by Role)
4. What are the limitations of using SUIM for checking
TCode access?
Answer:
SUIM shows static role assignments, not runtime access.
It doesn't consider conditional access (e.g., Organizational Level
values or S_TCODE authorization combined with other objects). A user might
technically have the TCode in a role but may still not be able to execute it
due to restrictions.
How to Find Users with Access to a Particular TCode in
SAP
✅ Method 1: Using SUIM (User
Information System)
Steps:
- Go to
Transaction SUIM
- Navigate
to:
Users → By Complex Selection Criteria → By Transaction Authorization - Enter
the TCode (e.g., VA01, SE38, etc.)
- Execute
(F8)
You’ll get a list of all users who have access to that
transaction via their roles.
✅ Method 2: Using Table AGR_1251
and AGR_USERS
If you're familiar with SAP tables or using SE16N/SE11:
Step 1: Find Roles with Access to TCode
- Go to SE16N
- Enter
table name: AGR_1251
- In
field S_TCODE, enter the transaction code (e.g., VA01)
- Execute
- This
shows you all roles that include the TCode
Step 2: Find Users Assigned to These Roles
- Go to SE16N
- Enter
table name: AGR_USERS
- Enter
the roles you got from the previous step
- Execute
- This
gives you the list of users assigned to those roles
✅ Method 3: Using SUIM → Roles by
Transaction Assignment
You can reverse the logic:
- SUIM →
Roles → By Transaction Assignment
- Enter
your TCode
- Find
roles, then use SUIM → Users by Role to get assigned users
✅ Bonus: Using PFCG (Role
Maintenance)
- Go to PFCG
- Enter
a role and click Display
- Under
the Menu or Authorizations tab, see if the TCode is included
- Click User
tab to see assigned users
Tips for Accuracy
- Remember:
A user having a TCode in their role does not guarantee execution access.
Authorization objects (like S_TCODE, S_USER_TCD, etc.) also matter.
- Run SU53
after execution denial to debug access issues.
- Use ST03N
to check who actually executed the TCode (useful for audit).
SAP Client Creation (SCC4) & Logical system (BD54) in SAP
Here are the Top 10 Frequently Asked Questions (FAQs)
on the topic:
"How to find out who has access to a particular
TCode in SAP system?"
1. How can I find out which users have access to a
specific TCode in SAP?
Answer:
Use transaction code SUIM (User Information System) →
Roles → By Transaction Assignment, then input the TCode.
You can then find roles that have access to it, and which users are assigned
those roles.
2. Which transaction code is used to check user access
for a TCode?
Answer:
- SUIM
– For checking users, roles, and TCode assignments
- SE93
– To check the technical details of a TCode
- PFCG
– To review roles and authorizations
- ST03N
– To check who executed a TCode historically
3. Can I directly find a list of users who can execute a
specific TCode?
Answer:
Not directly. You need to:
- Identify
roles that include the TCode (SUIM → Roles by TCode)
- Find
users assigned to those roles (SUIM → Users by Role)
4. What are the limitations of using SUIM for checking
TCode access?
Answer:
SUIM shows static role assignments, not runtime access.
It doesn't consider conditional access (e.g., Organizational Level
values or S_TCODE authorization combined with other objects). A user might
technically have the TCode in a role but may still not be able to execute it
due to restrictions.
How can I install WhatsApp on my computer?
5. How can I check if a user executed a particular TCode?
Answer:
Use ST03N (Workload Analysis) or SM20 (Security Audit Log) to
view historical TCode usage per user.
6. Is there a report or table that stores TCode access by
user?
Answer:
Not directly. You can refer to:
- AGR_1251
– TCodes and authorization objects in roles
- AGR_USERS
– Users assigned to roles
- UST12
– Authorizations
But you'll need to combine data for meaningful results.
7. Can I use SAP Queries or custom reports for this?
Answer:
Yes. Many companies create custom Z-reports or SQVI/SQ01 queries that
join tables like AGR_1251, AGR_USERS, and S_TCODE to report TCode access by
user.
5. How can I check if a user executed a particular TCode?
Answer:
Use ST03N (Workload Analysis) or SM20 (Security Audit Log) to
view historical TCode usage per user.
6. Is there a report or table that stores TCode access by
user?
Answer:
Not directly. You can refer to:
- AGR_1251
– TCodes and authorization objects in roles
- AGR_USERS
– Users assigned to roles
- UST12
– Authorizations
But you'll need to combine data for meaningful results.
7. Can I use SAP Queries or custom reports for this?
Answer:
Yes. Many companies create custom Z-reports or SQVI/SQ01 queries that
join tables like AGR_1251, AGR_USERS, and S_TCODE to report TCode access by
user.
Visit for latest Job Vacancies and News indianinQ8.com
Visit for latest Job Vacancies and News indianinQ8.com
8. How do I check TCode access across clients or systems?
Answer:
You need to log in to each client/system and perform the same SUIM analysis or
use centralized tools like SAP GRC (Governance, Risk, and Compliance)
for cross-system analysis.
9. What if the TCode is assigned through a derived role?
Answer:
The access is still valid. Check the parent role (composite or derived)
and then trace user assignments using AGR_USERS and AGR_DEFINE.
10. How to export the list of users with access to a
TCode?
Answer:
After using SUIM to find users or roles, click the "Export"
button (or List → Export) to download the results in Excel, text, or clipboard
format.
8. How do I check TCode access across clients or systems?
Answer:
You need to log in to each client/system and perform the same SUIM analysis or
use centralized tools like SAP GRC (Governance, Risk, and Compliance)
for cross-system analysis.
9. What if the TCode is assigned through a derived role?
Answer:
The access is still valid. Check the parent role (composite or derived)
and then trace user assignments using AGR_USERS and AGR_DEFINE.
10. How to export the list of users with access to a
TCode?
Answer:
After using SUIM to find users or roles, click the "Export"
button (or List → Export) to download the results in Excel, text, or clipboard
format.
To summarize, the most straightforward way for functional
users or auditors is via SUIM. For detailed technical or mass reporting,
using AGR_1251 and AGR_USERS tables provides more flexibility.
Let me know if you'd like an SQL script, report version, or
step-by-step screenshots for any of the above steps.
Visit for More Forever Living Products - Forever Living Kuwait at https://foreverlivingkuwait.blogspot.com/
To summarize, the most straightforward way for functional
users or auditors is via SUIM. For detailed technical or mass reporting,
using AGR_1251 and AGR_USERS tables provides more flexibility.
Let me know if you'd like an SQL script, report version, or
step-by-step screenshots for any of the above steps.
0 Comments