user lock

Former Member · ‎08-29-2008

Hello experts,

How can we lock all users leaving the standard users like DDIC SAP* EARLYWATCH and SAPCPIC.

without using SU10.

regards,

kavitha

jurjen_heeck · ‎08-29-2008

Why "without using SU10"?

Former Member · ‎08-29-2008

hi kavitha,

go to se38----> enter EWULKUSR and execute

then click on choose user, check the users you don't want to lock and then save it,

after saving, click on lock users,

it will lock all the users that u have not selected

Alternative,

run tcode EWZ5, it will take you on same screen

regards,

tarun

Former Member · ‎08-29-2008

Hi Kavitha,

There is one more way to lock the users by using USR02 table.

In USR02 table , u can update the UFLAG field which indicated , whether the user is locked.

0 User not locked

32 (Hex 20) Locked by CUA central administrator

64 (Hex 40) Locked by administrator

128 (Hex 80) Locked after failed logon

If you update the same field for all standard users in table.

Then use get locked automatically.

former_member1061482 · ‎08-29-2008

In USR02 table , u can update the UFLAG field which indicated , whether the user is locked.

Sneha,

Do you think it correct to directly manually update an SAP standard table?

Bernhard_SAP · ‎08-29-2008

...looking forward to the next audit.....

Have fun....

Former Member · ‎08-29-2008

I can hear chanting and the sound of coconuts being knocked against each other...

Former Member · ‎08-29-2008

>


> ...looking forward to the next audit.....
> Have fun....

Yups, i agree with Bernhard, direct updates in SAP tables is not a good practice, specially when you have audit folks running around.

Former Member · ‎08-29-2008

Hi,

Just adding some more to this....

You can also use function module "SUSR_USER_LOCK" to lock users and "SUSR_USER_UNLOCK" to unlock.

A custom development with these two function module is also a good option.

By the way, why you want a hard way out when you have the SAP's easy way out. ("without using SU10") ?

Regards,

Zaheer

Former Member · ‎08-29-2008

> You can also use function module "SUSR_USER_LOCK" to lock users and "SUSR_USER_UNLOCK" to unlock.

You should use BAPI_USER_LOCK and BAPI_USER_UNLOCK.

> A custom development with these two function module is also a good option.

See transaction BAPI (Basis => Security).

> By the way, why you want a hard way out when you have the SAP's easy way out. ("without using SU10") ?

You might want to take a more granular control of the locking / unlocking (e.g. the user type... in addition to the user group) than what SU10 offers. Or possibly, you don't want to lock users for whom the account validity is not (yet) valid. You can code those requirements into your custom application, before you call the BAPI.

Cheers,

Julius

Former Member · ‎08-29-2008

Agreed.

We also have a custom program built to have all IDs locked in system except standard SAP IDs and couple of support team IDs for regular system maintenance activities.

It all depends on what Kavitha is looking for..

Regards,

Zaheer

Former Member · ‎08-30-2008

Hi all,

Thanks for all your answers.

but my doubt was , if we have some 5000 users in that case, i think it will be a bit hard to do it from SU10.

so does SUSR_USER_LOCK and BAPI_USER_LOCK only locks USERS leaving the sap standard users.

regards,

kavitha

Former Member · ‎08-30-2008

The BAPI's will do exactly that which you tell them to do, if this is correct and you are authorized to.

So, you can select all users of type dialog from known "end user" user groups into an internal table (see function module BAPI_USER_GET_LIST) and then lock all users in the internal table (perhaps after explicitly deleting DDIC, SAP* and yourself from the internal table - just to be safe).

There is also a blog and some posts here with more information about BAPI's for user administration by

Julius