How to Block all the users at table level

Former Member · ‎01-10-2008

Dear all,

Please guide how to block the users at table level so that they can't login to sap system

or which table we have to modify to block all the users.

Former Member · ‎01-10-2008

You need to look at table USR02 field UFLAG. There is plenty of sample code if you do a google on terms USR02 and lock

You can also use EWZ5 to do mass locks in R/3 systems

I would be very careful using either

Former Member · ‎01-10-2008

other options is to remove/block conections in the network, that is less work and also less dangerous.

Former Member · ‎01-10-2008

Hi

There are many ways exist in the SAP to lock / unlock users,

You can use SU10 (Mass user maintenace) to lock / unlock client,

EWZ5 easier than then SU10

Also, you can lock / unlock the client instead of locking users by the above t-codes, the executing the below functions by the SE37. then no users will be allowed to login to SAP instead of sap* / ddic.

SE37..

SSCR_LOCK_CLIENT

SSCR_UNLOCK_CLIENT

Regards

Anwer Waseem

SAP BASIS

Edited by: Anwer Waseem on Jan 10, 2008 11:25 AM

Former Member · ‎01-14-2008

Is there any way to lock the user to login with only specific terminal( Windows system hostname)????

Former Member · ‎01-14-2008

From [this thread on the same topic:|]

>

> <b>I strongly disencourage you from manipulating those USR tables.</b>

>

> A better solution for your problem could be the usage of firewalls (placed between the network where the users reside and the server network). You could then only allow client access which is originated from dedicated machines - all others would be blocked out on the network level. Once you block those ports it will take immediate effect - terminating existing connections (with data loss).

Cheers,

Julius

Former Member · ‎01-16-2008

Hi,

Ask ur network ppl to block port number 32<Instance Number> on Application Server for the terminal on which u want to block access.

Regards,

Mofizur

Former Member · ‎01-16-2008

Hi,

below are the different options for locking the users:

Use SU10 to mass lock/unlock the users.

Use address data or authorisation data to get a list of users - select the ones you want and

click transfer.

Once this is done click on lock or unlock.

You can also use transaction code EWZ5 to mass lock/unlock the users

or

Execute program EWULKUSR in SE38

or

Set a profile parameter (login/failed_user_auto_unlock) to unlock at midnight the locked users.

or

Here's an ABAP code, short and simple, isn't it?

REPORT zreusrlock.

DATA: time_limit TYPE sy-datum.

DATA: days TYPE i VALUE 40.

time_limit = sy-datum - days.

UPDATE usr02 SET uflag = 64 WHERE trdat <>

If you don't want to specify the time in the program, you can use SE38 to schedule it as a daily background job with the date and time.

or

Probably the easiest way would be to write a sqlplus SQL script that sets all the UFLAG fields in table USR02 to 64 EXCEPT for the BNAMEs you don't want locked. When you are done, you can do the same again but change the UFLAG field to 0.

The SQL statement would look like:

update SAPR3.USR02 set UFLAG = 64 where MANDT = and BNAME !=

AND BNAME != ;

You can replace != with <> if you want. To run this from an OS command line, you would type:

Unix/Oracle 8---> sqlplus internal @

NT/Oracle 8.0---> plus80 internal @

NT/Oracle 8.1---> sqlplus internal @s

Unix/Oracle 9:--> sqlplus /nolog @

NT/Oracle 9-----> sqlplus /nolog @

In UNIX you can cron the script to schedule it. In NT you can schedule it as a task.