09-10-2009 6:16 PM
We are planning an upgrade from 4.6C to ECC6. Once we have gotten the system upgraded, we only want to allow certain users access to the systems for a time, developers, basis, etc so they can do some post upgrade work before releasing the system back to the end users.
Is there a way to lock all users out and only leave a few unlocked? I have looked on the SAP Support Portal and this forum but haven't seen this question raised.
Michael
09-10-2009 7:26 PM
This can be done through transaction SU10. This trasaction is used for mass user administration.
First find the list of unlock user from SUIM. Save it in excel sheet. Then upload the list of users those needs to be locked and then unlock. You can do the unlocking part in the same way.
Regards,
Sandip.
09-10-2009 6:39 PM
If you are using logon groups , You can create a new logon group for post upgrade validation and disable all other logon group ( which users are using ) temporarily . Then ask the testers to login to the system using the newly created logon group. Once all validation are complete you can enable the old logon group & users can login as usual.
thanks
Prince Jose
09-10-2009 7:26 PM
This can be done through transaction SU10. This trasaction is used for mass user administration.
First find the list of unlock user from SUIM. Save it in excel sheet. Then upload the list of users those needs to be locked and then unlock. You can do the unlocking part in the same way.
Regards,
Sandip.
09-10-2009 7:43 PM
I created a user group in SUGR and added all members of the support staff. I then ran Users by User ID, S_BCE_68001394 and filtered out my support staff group. I exported the list as a spreadsheet and went to SU10. I do not see any option to upload. Am I overlooking something in this transaction. I can copy and paste. But it is only pasting 25 lines at a time and I have just over 1000 users.
09-10-2009 8:05 PM
Thank you all so much for your help. I see now where I can click the "authorization data" button in SU10 and filter my users by User Groups to get the desired list. Problem solved.
09-10-2009 8:27 PM
What EWZ5 solved was the need to export the list.
The intention is that you can protect certain users (Euro Conversion Admins) but also not unlock users who were locked prior to the event - for good reasons.
The User Group solution is in my opinion a bad idea, as this is an administrative category.
Also take note that EWZ5 is not a "basis" transactions. It is not included in component systems which do not relate to ERP systems for which the conversion utility package was developed.
Though I must confess that it is very usefull. It is now also BAPI compliant. It would be nice to have it in the standard "basis" system.
On the other hand, for users who are already logged on, the network technique should be considered as another option to use.
In combination (once all non-Admins are off the application systems) would be best IMO.
You can do this very easily using EWZ5 together with a SAProuter if your servers are in a server network, or the admins are in the server network.
Cheers,
Julius
09-10-2009 8:42 PM
All good points on the EWZ5 transactions. I had not considered the fact I would potentially unlock users who were locked for good reason, as you said, previously. I verified in the SND instance that I do have EWZ5 available to me. So this may be a viable option as well. I will play around in SND and see what works best.
Thanks for all the good points.
09-10-2009 9:05 PM
It is a report transaction which uses BAPIs, so you can easily copy it into a Z-program and create a trabsaction for it.
You might need to change the messages in the coding and create them in you system.
Although you have closed the thread, this with the network segregation is a better option than SU10 by a long way, in my opinion.
Cheers,
Julius
09-10-2009 8:05 PM
use the Tcode EWZ5 to Lock all Unlocked users in Mass. When unlocking in mass, please use EWZ6.
Regards,
Dipanjan
09-13-2009 1:58 PM
In the future this could be achieved by using Security Policies: you could assign different policies to the different groups of users; and in every policy you can define whether a user shall be able to logon by password, tickets, etc. You could change the content of a policy - and it would take immediate action (on all users assigned to that policy).
But that's an outlook ... (not available, right now).
It will come with a future Enhancement Pack (NW 7.x).
09-13-2009 3:54 PM
Hi Wolfgang,
Have you seen the user lock/unlock tool used by your SLO colleagues? I had a look at it on a previous project and looks like a nicer version EWZ5 by creating new group policies for lock/unlock based on various criteria.
09-14-2009 8:27 AM
>
> Have you seen the user lock/unlock tool used by your SLO colleagues?
Well, you can guess where the requirement for a "tenant runlevel" check came from ...
They are searching for solution which works without touching the user master records and which does not make use of any hard-wired "exceptional users".
03-07-2023 7:12 AM
The transaction EWZ5 was delivered in connection with the euro changeover, for more information, see note511956-EWK5: Locking subsequently created users and note1263473 - EWZ5/EWZ6: Authorization default missing
You should use here SU10.
The tr. EWZ5 is reserved for Currency Conversion processes.
Please do not use the transaction EWZ5 for other purpose, unless you carry a Local Currency Changeover. This is the recommendation of the development.
03-07-2023 7:13 AM