Users Profiles and Password

Users Profiles and Password

Different methods to Lock or unlock SAP users

I want to lock all the users in SAP during MTP.  I know using SU10 we can do it. Any other alternative ways to lock the users.

Is there a way in SAP to unlock a locked user for a limited time, then automatically after x time set the user back to lock status? 

You can fill in "valid from" and "valid until", but you cannot say from Monday to Friday from 8 - 12:00 for part time workers. 

Can we schedule to lock all users?

If users get locked, from SU01 you can unlock them. 

Use SU10 to mass lock/unlock the users.

Use address data or authorisation data to get a list of users - select the ones you want and 

click transfer. 

Once this is done click on lock or unlock. 

You can also use transaction code EWZ5 to mass lock/unlock the users

or 

Execute program EWULKUSR in SE38

or 

Set a profile parameter (login/failed_user_auto_unlock) to unlock at midnight the locked users. 

or 

Here's an ABAP code, short and simple, isn't it? 

REPORT zreusrlock. 

DATA: time_limit TYPE sy-datum. 
DATA: days TYPE i VALUE 40. 

time_limit = sy-datum - days. 
UPDATE usr02 SET uflag = 64 WHERE trdat < time_limit.

If you don't want to specify the time in the program, you can use SE38 to schedule it as a daily background job with the date and time.

or

Probably the easiest way would be to write a sqlplus SQL script that sets all the UFLAG fields in table USR02 to 64 EXCEPT for the BNAMEs you don't want locked. When you are done, you can do the same again but change the UFLAG field to 0. 

The SQL statement would look like: 

update SAPR3.USR02 set UFLAG = 64 where MANDT = <client number> and BNAME != <don't lock user 1> 
AND BNAME != <don't lock user 2>; 

You can replace != with <> if you want. To run this from an OS command line, you would type: 

Unix/Oracle 8---> sqlplus internal @<SQLpath+SQLname> 
NT/Oracle 8.0---> plus80 internal @<SQLpath+SQLname> 
NT/Oracle 8.1---> sqlplus internal @s<SQLpath+SQLname> 
Unix/Oracle 9:--> sqlplus /nolog @<SQLpath+SQLname> 
NT/Oracle 9-----> sqlplus /nolog @<SQLpath+SQLname> 

In UNIX you can cron the script to schedule it. In NT you can schedule it as a task.

or

This is another method to UNLOCK ALL users. 

Start Oracle Server manager (I assume you are on Oracle) 
connect internal 
update sapr3.usr02 set uflag='0' where mandt='399'; 

When users are locked, the uflag is set to 64. 

Finish, just query to check. 

select bname, uflag from sapr3.usr02 where mandt='399'; 

Please note that unlocking users from low level (like Oracle sqlplus) should be used as last resort. Frequent use of low level access may tempt you to use on other things. Highly dangerous and your IS auditors will not be too happy. 

Is there a way to set a list of users that cannot be locked, even if we try to lock them manually, and even if they fail connection ( wrong password )?

Increase this parameter in SAP Instance profile: 

login/fails_to_user_lock = 6 (max is 99 wrong attempts, i.e, value 99). Currently you have a value of 3. 

login/failed_user_auto_unlock (for your midnight unlocking). 

Ask users to remember passwords!! If someone is deliberately login-in with different username/password (thereby blocking legitimate access of that user), check hostname from SM21. 

This is considered as DoS (Denial of Service). 

Changing the default password for sap* user

You are trying to change the password for sap* user, however when you go into su01 and enter sap* as the user name, the following message is displayed, user sap* does not exist.

You can delete the SAP* user using ABAP code :-
Delete from usr02 where bname = 'SAP*' and mandt = '***';

Where '***' means your client no.

Then login to your client using password SAP* and password PASS

However, if you delete it, then it will automatically created once again with password PASS

The userid, SAP*, is delivered with SAP and is available in clients 000 and 001 after the initial installation. In these 2 clients, the default password is 07061992 (which is, by the way, the initial date when R/3 came into being...). It is given the SAP_ALL user profile and is assigned to the Super user group. When I say it is "delivered" with SAP, I mean that the userid resides in the SAP database; there are actually rows in the user tables used to define userids.

If you delete the userid, SAP*, from the database, SAP has this userid defined in its kernel (the SAP executable code that sits at the operating system level, i.e., disp+work).  When this situation exists, the password defined in the SAP code for SAP* is PASS.  This is necessary when you are performing client copies for example, as the user information is copied at the end of the process. You can sign into the client you are creating while a client copy is processing using SAP* with password PASS (but you should have a good reason to do this - don't change anything while it's running).

Anyway, if the SAP* userid is missing, you can sign in to the client you want and simply define it using transaction SU01 and, as I stated above, assign it to the SUPER user group and give it the SAP_ALL profile.  You define its initial password at this point. If you've forgotten its password and don't have a userid with sufficient authorization to create/change/delete userid, 
then you can use the SQL statements to delete it from the database and then you can use SAP* with PASS to sign back into the client you want to define it in and recreate it.

There is also a profile parameter which can override the use of SAP* with PASS to close this security hole in SAP (login/no_automatic_user_sapstar).  When this parameter is defined either in your DEFAULT.PFL profile or the instance-specific profile and is set to a value of '1', then the automatic use of SAP* is deactivated. The only way to reactivate the kernel-defined SAP* userid at this point would be to stop SAP, change this parameter to a value of 0 (zero), and then 
restart SAP.

The default password for SAP* is 06071992. (DDIC has 19920706)

Mass Maintenance of Users Profiles

Goto transaction code SU10

Select your SAP User by Address data or Authorization data.

With the users you want to change selected, click :-

User -> Change -> Profiles

Filled in the Profiles and click save.

How can I create multiple User Id at Random

We usually created Id though SU01, it only one by one.
Can I create multiple user id having same profile at once.

Yes you can, use tcode SCAT. First, make sure your client setting (SCC4) is enabled with ' X eCATT and CATT allowed'. Just in case your Production disabled this.

- Then, you need to create a simulation (test case) of creating new user id by calling tcode 
  SU01 later. 
- Test case must start with Z, example ZCREATE_NEW_USER. Create this case, put title and 
   choose component as BC (basis components). 
- Save and choose Local if you dont want to transport it or choose a dev. class (example ZDEV) 
   if you want to transport it later.
- Go back and click Change button. Then key -in Object as example SU01, and choose Record 
   button on top. When it prompts to enter Transaction code, key in SU01 (if for roles, 
   key-in PFCG) and begin recording. As usual in SU01 create 1 user id, dept field, password,
   roles, group and so on. 
- Make sure you press Enter on each field because we want to capture the value/object and 
   SCAT is a bit stupid if you become familiar later....but still useful...indeed. 
- You will see a clock on the bottom which means the recording process is on going. 
   Once done, click Back button and press End button to end the recording.

Note -  I noticed you said the profiles are all the same. Then this is much easier...no need to enter the roles/profiles, just duplicate this ID and change the name, dept and password only.

Okay..first stage has finished. Then double click the Object to begin inserting parameters. Then you will see an object for each fields that you run from SU01. Choose the right field example user id (BNAME) and choose button 'Insert Import Parameter (F6)' and you may click Next Screen to 'watch' what have been recorded and proceed to choose several other objects like password field (PASSWORD1, PASSWORD2), roles field (AGR_NAME), group field etc. If you happen to choose the wrong object, then you can reset back (Edit -> Reset Parameterization). You may see so many junk fields captured and this is because SCAT records every steps/dialogs. 

Once done, choose Back and save this case. Then you need to click 'Goto -> Variant -> Export' and save it. After that use Ms Excel to open it and begin inserting all other user ids. Save and close. Remember to close this file because SCAT will use it.

Then last one, get back to SCAT and click button execute, processing mode chose Background, choose external file 'the one you created with Excel' and execute. At this moment don't use tcode SU01 bcoz you may interrupt the simulation. Wait for the logs.  If you see reds then error was 
happening. 

Hoping this will help you. I have done (Sap 4.6C) this to create thousands of user ids and also thousands of roles/profiles (pfcg). I heard with Sap 4.7, the SCAT has so many extra features.....

Correct me if i'm wrong elsewhere.....just shared my experience.