Users Profiles and Password
Different methods to Lock or unlock SAP users
A D V E R T I S E M E N T
I want to lock all the users in SAP during MTP. I know using SU10 we can
do it. Any other alternative ways to lock the users.
Is there a way in SAP to unlock a locked user for a limited time, then
automatically after x time set the user back to lock status?
You can fill in "valid from" and "valid until", but you cannot say from
Monday to Friday from 8 - 12:00 for part time workers.
Can we schedule to lock all users?
If users get locked, from SU01 you can unlock them.
Use SU10 to mass lock/unlock the users.
Use address data or authorisation data to get a list of users - select the
ones you want and
Once this is done click on lock or unlock.
You can also use transaction code EWZ5 to mass lock/unlock the users
Execute program EWULKUSR in SE38
Set a profile parameter (login/failed_user_auto_unlock) to unlock at midnight
the locked users.
Here's an ABAP code, short and simple, isn't it?
DATA: time_limit TYPE sy-datum.
DATA: days TYPE i VALUE 40.
time_limit = sy-datum - days.
UPDATE usr02 SET uflag = 64 WHERE trdat < time_limit.
If you don't want to specify the time in the program, you can use SE38 to
schedule it as a daily background job with the date and time.
Probably the easiest way would be to write a sqlplus SQL script that sets all
the UFLAG fields in table USR02 to 64 EXCEPT for the BNAMEs you don't want
locked. When you are done, you can do the same again but change the UFLAG field
The SQL statement would look like:
update SAPR3.USR02 set UFLAG = 64 where MANDT = <client number> and BNAME !=
<don't lock user 1>
AND BNAME != <don't lock user 2>;
You can replace != with <> if you want. To run this from an OS command line,
you would type:
Unix/Oracle 8---> sqlplus internal @<SQLpath+SQLname>
NT/Oracle 8.0---> plus80 internal @<SQLpath+SQLname>
NT/Oracle 8.1---> sqlplus internal @s<SQLpath+SQLname>
Unix/Oracle 9:--> sqlplus /nolog @<SQLpath+SQLname>
NT/Oracle 9-----> sqlplus /nolog @<SQLpath+SQLname>
In UNIX you can cron the script to schedule it. In NT you can schedule it as
This is another method to UNLOCK ALL users.
Start Oracle Server manager (I assume you are on Oracle)
update sapr3.usr02 set uflag='0' where mandt='399';
When users are locked, the uflag is set to 64.
Finish, just query to check.
select bname, uflag from sapr3.usr02 where mandt='399';
Please note that unlocking users from low level (like Oracle sqlplus) should
be used as last resort. Frequent use of low level access may tempt you to use on
other things. Highly dangerous and your IS auditors will not be too happy.
Is there a way to set a list of users that cannot be locked, even if we
try to lock them manually, and even if they fail connection ( wrong password )?
Increase this parameter in SAP Instance profile:
login/fails_to_user_lock = 6 (max is 99 wrong attempts, i.e, value 99).
Currently you have a value of 3.
login/failed_user_auto_unlock (for your midnight unlocking).
Ask users to remember passwords!! If someone is deliberately login-in with
different username/password (thereby blocking legitimate access of that user),
check hostname from SM21.
This is considered as DoS (Denial of Service).
Changing the default password for sap* user
You are trying to change the password for sap* user, however when you go into
su01 and enter sap* as the user name, the following message is displayed, user
sap* does not exist.
You can delete the SAP* user using ABAP code :-
Delete from usr02 where bname = 'SAP*' and mandt = '***';
Where '***' means your client no.
Then login to your client using password SAP* and password PASS
However, if you delete it, then it will automatically created once again with
The userid, SAP*, is delivered with SAP and is available in clients 000 and
001 after the initial installation. In these 2 clients, the default password is
07061992 (which is, by the way, the initial date when R/3 came into being...).
It is given the SAP_ALL user profile and is assigned to the Super user group.
When I say it is "delivered" with SAP, I mean that the userid resides in the SAP
database; there are actually rows in the user tables used to define userids.
If you delete the userid, SAP*, from the database, SAP has this userid
defined in its kernel (the SAP executable code that sits at the operating system
level, i.e., disp+work). When this situation exists, the password defined in
the SAP code for SAP* is PASS. This is necessary when you are performing client
copies for example, as the user information is copied at the end of the process.
You can sign into the client you are creating while a client copy is processing
using SAP* with password PASS (but you should have a good reason to do this -
don't change anything while it's running).
Anyway, if the SAP* userid is missing, you can sign in to the client you want
and simply define it using transaction SU01 and, as I stated above, assign it to
the SUPER user group and give it the SAP_ALL profile. You define its initial
password at this point. If you've forgotten its password and don't have a userid
with sufficient authorization to create/change/delete userid,
then you can use the SQL statements to delete it from the database and then you
can use SAP* with PASS to sign back into the client you want to define it in and
There is also a profile parameter which can override the use of SAP* with
PASS to close this security hole in SAP (login/no_automatic_user_sapstar). When
this parameter is defined either in your DEFAULT.PFL profile or the
instance-specific profile and is set to a value of '1', then the automatic use
of SAP* is deactivated. The only way to reactivate the kernel-defined SAP*
userid at this point would be to stop SAP, change this parameter to a value of 0
(zero), and then
The default password for SAP* is 06071992. (DDIC has 19920706)
Mass Maintenance of Users Profiles
Goto transaction code SU10
Select your SAP User by Address data or Authorization data.
With the users you want to change selected, click :-
User -> Change -> Profiles
Filled in the Profiles and click save.
How can I create multiple User Id at Random
We usually created Id though SU01, it only one by one.
Can I create multiple user id having same profile at once.
Yes you can, use tcode SCAT. First, make sure your client setting (SCC4) is
enabled with ' X eCATT and CATT allowed'. Just in case your Production disabled
- Then, you need to create a simulation (test case) of creating new user id
by calling tcode
- Test case must start with Z, example ZCREATE_NEW_USER. Create this case, put
choose component as BC (basis components).
- Save and choose Local if you dont want to transport it or choose a dev. class
if you want to transport it later.
- Go back and click Change button. Then key -in Object as example SU01, and
button on top. When it prompts to enter Transaction code, key in SU01 (if for
key-in PFCG) and begin recording. As usual in SU01 create 1 user id, dept
roles, group and so on.
- Make sure you press Enter on each field because we want to capture the
SCAT is a bit stupid if you become familiar later....but still
- You will see a clock on the bottom which means the recording process is on
Once done, click Back button and press End button to end the recording.
Note - I noticed you said the profiles are all the same. Then this is much
easier...no need to enter the roles/profiles, just duplicate this ID and change
the name, dept and password only.
Okay..first stage has finished. Then double click the Object to begin
inserting parameters. Then you will see an object for each fields that you run
from SU01. Choose the right field example user id (BNAME) and choose button
'Insert Import Parameter (F6)' and you may click Next Screen to 'watch' what
have been recorded and proceed to choose several other objects like password
field (PASSWORD1, PASSWORD2), roles field (AGR_NAME), group field etc. If you
happen to choose the wrong object, then you can reset back (Edit -> Reset
Parameterization). You may see so many junk fields captured and this is because
SCAT records every steps/dialogs.
Once done, choose Back and save this case. Then you need to click 'Goto ->
Variant -> Export' and save it. After that use Ms Excel to open it and begin
inserting all other user ids. Save and close. Remember to close this file
because SCAT will use it.
Then last one, get back to SCAT and click button execute, processing mode
chose Background, choose external file 'the one you created with Excel' and
execute. At this moment don't use tcode SU01 bcoz you may interrupt the
simulation. Wait for the logs. If you see reds then error was
Hoping this will help you. I have done (Sap 4.6C) this to create thousands of
user ids and also thousands of roles/profiles (pfcg). I heard with Sap 4.7, the
SCAT has so many extra features.....
Correct me if i'm wrong elsewhere.....just shared my experience.