08-29-2008 8:34 AM
Hello experts,
How can we lock all users leaving the standard users like DDIC SAP* EARLYWATCH and SAPCPIC.
without using SU10.
regards,
kavitha
08-29-2008 8:36 AM
08-29-2008 8:39 AM
hi kavitha,
go to se38----> enter EWULKUSR and execute
then click on choose user, check the users you don't want to lock and then save it,
after saving, click on lock users,
it will lock all the users that u have not selected
Alternative,
run tcode EWZ5, it will take you on same screen
regards,
tarun
08-29-2008 8:52 AM
Hi Kavitha,
There is one more way to lock the users by using USR02 table.
In USR02 table , u can update the UFLAG field which indicated , whether the user is locked.
0 User not locked
32 (Hex 20) Locked by CUA central administrator
64 (Hex 40) Locked by administrator
128 (Hex 80) Locked after failed logon
If you update the same field for all standard users in table.
Then use get locked automatically.
08-29-2008 9:12 AM
In USR02 table , u can update the UFLAG field which indicated , whether the user is locked.
Sneha,
Do you think it correct to directly manually update an SAP standard table?
08-29-2008 9:26 AM
08-29-2008 12:52 PM
I can hear chanting and the sound of coconuts being knocked against each other...
08-29-2008 7:44 PM
>
> ...looking forward to the next audit.....
> Have fun....
Yups, i agree with Bernhard, direct updates in SAP tables is not a good practice, specially when you have audit folks running around.
08-29-2008 7:42 PM
Hi,
Just adding some more to this....
You can also use function module "SUSR_USER_LOCK" to lock users and "SUSR_USER_UNLOCK" to unlock.
A custom development with these two function module is also a good option.
By the way, why you want a hard way out when you have the SAP's easy way out. ("without using SU10") ?
Regards,
Zaheer
08-29-2008 8:36 PM
> You can also use function module "SUSR_USER_LOCK" to lock users and "SUSR_USER_UNLOCK" to unlock.
You should use BAPI_USER_LOCK and BAPI_USER_UNLOCK.
> A custom development with these two function module is also a good option.
See transaction BAPI (Basis => Security).
> By the way, why you want a hard way out when you have the SAP's easy way out. ("without using SU10") ?
You might want to take a more granular control of the locking / unlocking (e.g. the user type... in addition to the user group) than what SU10 offers. Or possibly, you don't want to lock users for whom the account validity is not (yet) valid. You can code those requirements into your custom application, before you call the BAPI.
Cheers,
Julius
08-29-2008 9:05 PM
Agreed.
We also have a custom program built to have all IDs locked in system except standard SAP IDs and couple of support team IDs for regular system maintenance activities.
It all depends on what Kavitha is looking for..
Regards,
Zaheer
08-30-2008 7:18 AM
Hi all,
Thanks for all your answers.
but my doubt was , if we have some 5000 users in that case, i think it will be a bit hard to do it from SU10.
so does SUSR_USER_LOCK and BAPI_USER_LOCK only locks USERS leaving the sap standard users.
regards,
kavitha
08-30-2008 8:37 AM
The BAPI's will do exactly that which you tell them to do, if this is correct and you are authorized to.
So, you can select all users of type dialog from known "end user" user groups into an internal table (see function module BAPI_USER_GET_LIST) and then lock all users in the internal table (perhaps after explicitly deleting DDIC, SAP* and yourself from the internal table - just to be safe).
There is also a blog and some posts here with more information about BAPI's for user administration by
Julius