Hi
> 
> you can achive using User group authorization
> 

No you can't. That will not allow you to differentiate lock & unlock 'vs' password reset for a given set of users.

HI Alex,

your message was not clear throughly. What I know is, even by restricting with user group, we can still change the password of that user.

Hi Plaban,

As standard we cannot segregate the activities of lock/unlock and password reset - they share the 05 activity.

S_USER_GRP will allow restriction of activities to groups of users but activity 05 still permits both lock/unlock and password reset unless you take a customising approach.

Hi alex,

i do not think, value 05 in S_USER_GRP will provide password reset access. i.e if 05 is NOT provided, then also password reset authorization is available.

Edited by: Plaban Sahoo on Sep 22, 2011 3:03 PM

Hi alex,
> i do not think, value 05 in S_USER_GRP will provide password reset access. i.e if 05 is NOT provided, then also password reset authorization is available.
> 
> Edited by: Plaban Sahoo on Sep 22, 2011 3:03 PM

This does not look right. Test it and you will see lock/unlock and password resets both needs 05.

What a strange thread...

Luckily Raghav has never closed any question he ever asked on SDN yet, so the show can still go on for a while

Hi Pradeep
> 
> You can use T-code EWZ5. This t-code is used for mass user locking and unlocking. 
> 
> Thanks-
> Guru Prasad Dwivedi
> 
> Edited by: guruprasaddwivedi on Sep 21, 2011 4:36 PM

I would like to add that this transaction must be used really, really, really carefully! It is so easy to lock all users in the system. To be honest I wouldn't allow this for anyone who wasn't an uber security administrator (and even then only on a temp basis).

Hi Alex

Considering the possibility of ranged tcodes in support roles - would this be one for SM01 in that case?

Regards

David

Hi

EWZ5 is very dangerous and sensitive tcode, if you not sure how to use then will be in trouble

Hi Alex
> 
> Considering the possibility of ranged tcodes in support roles - would this be one for SM01 in that case?
> 
> Regards
> David

To David: Sorry to go a little off-topic. Was thinking if EWZ5 is with security admin and so is SM01 then is it not a SOD issue? Though I understand the benefit of locking EWZ5.

To OP - There is quite a recent article in Security by Raghu Boddu which explains transaction variant for SU01 using SHDO for almost the same case as you have. His article mentions both the features lock/unlock and password reset..for your case you can just enable one you need.

Hi David,

EWZ5 requires the usual unlock auths (and possibly more - I don't have a system immediately available with EWZ5) so will be controlled by standard sec objects to restrict. Assuming that it's not the sec roles that are ranged in prod (big assumption ) then should be sufficient level of control without resorting to locking the tx.

It's surprisingly common to hear people who have run the lock without excluding their own user. But for the grace of God I've managed to avoid it so far. In PRD at least.....

Hi Alex

I'll add this to my notebook for future reference

From a system I currently have access to the unvalidated SU24 entries are:

S_DATASET Authorization for file access Check NO

S_DEVELOP ABAP Workbench Check NO

S_TCODE Transaction Code Check at Transaction Start Check NO

I've had some fun (in threat-ro-spect) seeing my own access swallowed by an enthusiatistic LSMW deleting roles which happened to include me but my reference user still lived on to rescue me so I appreciate the open-eyed OMG stare something bad like this may produce...

cheers

David

Edited by: David Berry on Sep 22, 2011 7:42 PM