AGR_1252 Tables in SAP Security | How and where to use AGR_1252 tables | Careermod

AGR_1252 Tables in SAP Security | How and where to use AGR_1252 tables | Careermod

 



AGR_1252 is an SAP Security table that stores authorization values (field values) assigned to authorization objects inside a role.

In simple terms:

👉 AGR_1251 = Which authorization objects are in the role
👉 AGR_1252 = What values are assigned to those objects

 

Example: If a role contains object S_TCODE, AGR_1252 will show the TCODE values assigned.

 

When we need to use AGR_1252 table:

1. Check authorization field values inside a role

Example:

Which company codes are assigned?

Which activity values (01, 02, 03) are assigned?

Which TCodes are included?

 

2. Troubleshoot access issues

If a user has a role but still gets authorization errors, AGR_1252 helps you verify whether the correct values are maintained.

 

3. Analyze SoD (Segregation of Duties) risks

GRC tools often read AGR_1252 to check whether risky values exist in a role.

 

4. Compare two roles

You can compare field values between roles using AGR_1252.

 

5. Audit and compliance reporting

Auditors frequently request AGR_1252 extracts to validate role design.

 

 

 

 

You typically use AGR_1252 in:

 

1. SUIM (User Information System)

Role → Authorization → Field values

Role comparison

Authorization analysis

 

2. SE16 / SE16N / SE11

To directly view table contents.

 

How to View AGR_1252 in SAP (Step-by-Step)

 

Method 1: Using SE16/SE16N

Go to SE16/SE16N

Enter table name: AGR_1252 àPress Enter

Enter selection criteria:

AGR_NAME → Role name

OBJECT → Authorization object (optional)

Click on Execute (F8)

 

You will now see:

Field

               Meaning

AGR_NAME

Role name

OBJECT

Authorization object

FIELD

Authorization field

LOW

Field value (from)

HIGH

Field value (to)

 

 

 

 



Method 2: Using SUIM
(Mostly security consultants prefer to use SE16/SE16N)

Go to SUIM

Roles → By Authorization Values

Enter the object or field

Click on Execute

 

SUIM internally reads AGR_1252 to show results

 

Example Use Cases

1. Find all TCodes in a role

OBJECT = S_TCODE

FIELD = TCODE

 

2. Check company codes assigned

OBJECT = F_BKPF_BUK

FIELD = BUKRS

 

3. Check activity values

OBJECT = S_TABU_DIS

FIELD = ACTVT

 

AGR_1252 vs AGR_1251 (Quick Comparison)

Table     Purpose

AGR_1251          Authorization objects inside a role (What objects exist in a role?)

AGR_1252          Field values assigned to those objects (What values do those objects allow?)




 


Previous Post Next Post