Solved: Lock mass users

Former Member · ‎05-04-2011

Hi All,

When checked EWZ5 doesnt exist in our SRm 7.0 system.Is there a way to lock mass users.Su10 has restriction upto some users right?Thanks.

Former Member · ‎05-04-2011

What problem you are facing while locking mass users using SU10. ?

SU10 is Ok to use for mass user administration.

Regards,

Sandip

sivakumar_kilari3 · ‎05-04-2011

Hi,

Execute program EWULKUSR in SA38

Thanks

Siva

Former Member · ‎05-04-2011

What problem you are facing while locking mass users using SU10. ?

SU10 is Ok to use for mass user administration.

Regards,

Sandip

markus_doehr2 · ‎05-04-2011

> What problem you are facing while locking mass users using SU10. ?

> SU10 is Ok to use for mass user administration.

The problem with SU10 is the fact, that is does not distinguish between users "already locked by administrator" and not locked users. If users are unlocked with SU10 it will also unlock those, that shouldn't be unlocked.

Markus

Former Member · ‎05-04-2011

I usually use SUIM and SU10 combination for user locks than EWZ5. The probem with EWZ5 is that you have all the background and service users also listed.

Former Member · ‎05-04-2011

Yes, true.

To avoid this, we need to prepare the list of user only. Lock/unlock users can be easily separated through SUIM or USR02 table.

After preparation of list, we can use SU10. Access of SA38 or SE38 may not be allowed to Security consultants in Production systems as it is considered as critical transaction.

So I think SU10 should be the best option for mass user admin.

Regards,

Sandip

Former Member · ‎05-04-2011

Markus hit the nail on the head! Only unlock those which it's own application locked and protect application specific "admins".

You also cannot "clone" it to non-ECC systems as it uses ECC logical DBs. How long it will still exist is also debatable as the euro currency conversions are long gone. (they did however clean up the spagetti code when the package syntax concept was activated internally in SAP and found the update statements).

Simply the fact that the output is a write statement is sufficient to assume that it is dead.

With BAPIs and ALV you can however create your own which is neutral to the component system type. Some partner products include it as a free tool with their core applications (also the ability to unlock and send a new pwd and even react to events of a failed SSO attempt when the authentication service / server fails and do it automatically while you fix the problem).

Lots of options - but ewz5 itself is a euro conversion tool.

Cheers,

Julius

martin_voros · ‎05-05-2011

Hi Julius,

It does not use any logical DB. So it shouldn't be that hard to copy it over to different system. It's using some custom objects like table EWUUSERTYP but any developer should be able to use it as a base for custom program.

I would also say that it will stay with us. In future there might be another European country which decides to switch to Euro. I know that in current situation in Eurozone it looks highly improbable but why would SAP get rid of it.

Cheers

OttoGold · ‎05-05-2011

Hi Martin

It does not use any logical DB

I didn`t see one either, but the look and feel of the tool is awful:))

Otto

Former Member · ‎05-07-2011

Which release are you guys on?

In earlier releases it was a much simpler and uglier program started by EWZ5. It even did updates on USR02-UFLAG (possibly to avoid LOCNT being reset?).

In my 7.01 system it now uses bapis and I was sure there was some LDB in there. There is also an exotic enqueue / dequeue function group which has it's own namespace.

I will check again - perhaps we are not talking about the same "thing" here

Cheers,

Julius

Former Member · ‎05-08-2011

Dear All,

Please go through below SAP note for more detail.

Note 1263473 - EWZ5/EWZ6: Authorization default missing

Best Regards

Imran

Former Member · ‎05-16-2011

Hi All,

Following the suggestion we have told the abapers about building a program.Thanks.

Former Member · ‎05-04-2011

Ambarish - We can use RSUSR200 tcode/report to identify unlocked users from the list that you want to lock.

If the remaining list of users have no similar pattern (User Group, Common role or profile that we can select on) then it is a little manual work.

Usually security teams have a custom mass user lock program created for mass locking ( 10,000+ user enviornments) which is a simple code to change the lock status to 64. Unless you have such a program, all i have seen is little manual work in SU10.

Hope it helps.

Regards,

Sri

Former Member · ‎05-04-2011

Ambarish , SU10 has no limit for the number of users. Suppose for example , you have 20k users to be locked for your Production environment, You can open 6 sessions and put 3k each approx and do the mass locking. For that , click SU10 - Go to Authorization Data - In users by Complex search criterion , put your list of users and then transfer those users.

Former Member · ‎05-06-2011

Siva is correct. We moved the program to a BI system ZBW_EWULKUSR gave it a ZEWZ5 and it worked like a charm. You can probably do that for your SRM system.

Gary Morris

SAP Security