[ How to build an SAP security role matrix ]

This guide will show how to build an up to date SAP security role matrix of existing roles in an SAP system which can then be easily distributed to the business for review.

  1. Create a test composite role: ZC_TEST using PFCG
  2. Assign all the required single roles. (e.g: Z*)

  1. Save
  2. Run transaction SUIM
  3. Transactions executable for role

  1. Enter ZC_TEST
  2. Get the complete list of transactions and paste in excel.

  1. Get a list of the required roles as added to the ZC_TEST composite role.
  2. Have the transactions as rows and the roles as columns.



  1. Get role details:
    1. SE16N
    2. Table: AGR_1251
      1. Role: Z*
      2. Object: S_TCODE
  1. Copy data into another worksheet (role data)


In a new column concatenate the role name and transaction using the ‘&’ operator. e.g: A1&B1

Also add a new column next to the above with just ‘X’ – This will be the value placed in the matrix.

  1.  Use the following formula to populate the matrix:

=IF(COUNTIF(Role_Data!$C$1:$D$3548,$C$1&$A3),VLOOKUP($C$1&$A3,Role_Data!$C$1:$D$3548,2,FALSE)," ")

Note: Formulas take a long time to calculate and when lots of formulas are used as in this case the spreadsheet becomes unusable. It is advised to copy the content into another spreadsheet.

You now have a complete up to date role matrix.