Financial Management Blogs by Members
Dive into a treasure trove of SAP financial management wisdom shared by a vibrant community of bloggers. Submit a blog post of your own to share knowledge.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Unlocking the Power of RSUSR_LOCK_USERS Report in SAP

GRCwithRaghu
Explorer
2 weeks ago

Are you finding it challenging to use EWZ5 for locking and unlocking users during upgrade activities? Have you discovered that this transaction code is now obsolete and are you relying on a custom program? If so, consider using the ABAP program RSUSR_LOCK_USERS.

This program simplifies the user locking and unlocking process, making it an invaluable tool for managing user accounts efficiently during system upgrades.

Understanding RSUSR_LOCK_USERS

RSUSR_LOCK_USERS is a simple yet effective program that is built on top of RSUSR200 program. Here is the list of options available in the program screen:

GRCwithRaghu_0-1716213232320.png

As highlighted in the picture, the RSUSR_LOCK_USERS report offers the following sections:

 

Section

What it offers?

User Selection

This section offers the following:

User – Selection of specific users.

Group for Authorization – Uses SU01 user group assignments and picks the users based on the group assignment.

Security Policies – Uses the Security Policy assigned to the user in SU01.

Days Since Last Logon – To specify the no.of days since last login (for eg: If you wish to lock the users who haven’t logged-in to the system in the last 90 days, enter the value as 90).

Days Since Password Change – To select users based on last password change.

Selection by Validity of users

Selection by Validity of users can be filtered by today's validity or by a specific period.

Today (current date) – This option will specifically check for valid and invalid users of current date.

  • Users Valid Today – Consider the valid users of current date
  • Users Invalid Today – Consider the Invalid users of current date 

Validity Period – This option will specifically check for valid and invalid users over a specified period of time.

  • Users Valid <From> and <To> - Consider the valid users within the time period specified in the input.
  • Users Not valid <From> and <To> - Consider the Invalid users within the time period specified in the input.

Selection by Locks

This option facilitates filtering users based on their lock status. Below are the lock criteria that can be considered. Selecting one of these options is mandatory (Radio button selection).

  • Differentiation of Locks
  • All users with Administrator or Password Locks
  • Only Users without Locks

Differentiation of Locks

  • User Locks (Administrator) – When the value "Set" is selected, it will include the list of users who have been locked by the administrator, with lock statuses of 32 and 64.

GRCwithRaghu_1-1716213376801.png

When the value " Not Set" is selected, it will exclude the list of users who have been locked by the administrator, with lock statuses of 32 and 64

 

GRCwithRaghu_2-1716213376803.png
  • Password Lock (Incorrect Logon) – When the value "Set" is selected, it will include the list of users who have been locked due to incorrect logons with the status of 128 while when the value “Not Set” is selected, it will exclude the list of users who have been locked due to incorrect logons with the status of 128
  • All users with Administrator or Password Locks – It will include all users who meet the condition of being locked by the administrator (with lock status 32 & 64) or having password locks (with lock status 128).
  • Only Users without Locks -  It includes users without any lock status (Active users)

Selection by Login attempts

This section sorts users based on their login attempts to the SAP system. By default, all options are selected, and you can deselect a box to exclude. Alternatively, all boxes can be unchecked if you do not wish to use this option.

 

GRCwithRaghu_3-1716213376804.png
  • Users with incorrect Logon Attempts – Considers users who have made incorrect logon attempts.
  • Users with no Incorrect Logon Attempts – Considers users who have not made any incorrect logon attempts.
  • User Without Logon Date – Considers the users without any logon date in SU01

Selection by User Type

Selection by User Type filters users based on the user type defined in SU01. For example, you can lock only dialog users based on conditions specified within this program, such as users who have not logged into the system for a specific period of time.

Below are the user types available under this criteria:

  • Dialog Users
  • Communication Users
  • System Users
  • Service Users
  • Reference Users

NOTE: By default, all options are selected, and you can deselect a box to exclude. Alternatively, all boxes can be unchecked if you do not wish to use this option.

Selection by status of password

This section will be considered the users based on the status of the user password.

  • ·Users with Production Password – Productive user
  • Users with Initial Password – Users who have never logged into the SAP system after the initial password was set by the admin.
  • Users with Deactivated Password – Users who password is deactivated  

As selection type “Selection by Login attempts and Selection by User Type”, by default, all options are selected here as well, and you can deselect a box to exclude.

Activity selection

Once all the selection criteria are defined according to your requirements, you can proceed to the Activity selection option to specify your actions. Based on the conditions specified above, the result will now be executable. Below are the actions that can be taken when you execute the program.

  1. Test Selection – Test Selection presents the list of users on the output screen according to the criteria defined before any of the activities listed below are executed.
  2. Lock Users (Local Lock) – To Lock the user locally
  3. Unlock Users (Local Lock) – To unlock the user locally
  4. Set the End of the Validity Period to Today (Only for Valid Users) – Validity of the user will be ended with today’s date
  5. Set the End of the Validity Period to Yesterday (Only for Valid Users) – validity of the user will be ended with the yesterday’s date

As mentioned, RSUSR_LOCK_USERS aids in compliance and audit processes by providing a clear record of user account status and actions taken. This ensures that the organization can demonstrate adherence to security policies and regulations.

How to Use RSUSR_LOCK_USERS?

 

  1. Execute transaction code SA38 or SE38.
  2. Enter “RSUSR_LOCK_USERS” in the program field and execute the report.
  3. Complete the required selections such as specific users, lock/unlock conditions, and date ranges etc.,
  4. Run the program to generate a list of users.

Consider the following condition for ending the validity of users as a reference. I have selected dialog users regardless of their password status—whether it's production, initial, or deactivated—and those who are already locked by the admin or due to password lock. Additionally, I have chosen users without logon data under "Selection by Logon Attempts." Once users meeting the defined criteria are identified, their ID validity should be set to end with yesterday’s date.    

GRCwithRaghu_4-1716213879816.png

After executing the program, the output will display the User IDs for which changes were made.

GRCwithRaghu_5-1716213907899.png

Result: According to the given criteria, user validity is ended with yesterday's date. The program was executed on 20.05.2024, so the user validity is set to end on 19.05.2024.

GRCwithRaghu_6-1716213932140.png

Additionally, the program can be scheduled to run at regular intervals, ensuring that administrators are always aware of any locked user accounts. Automation can help in maintaining continuous oversight without manual intervention.

Steps to schedule the job in the background:

To automate the locking, unlocking, and validity ending of users without manual intervention, you can schedule this job to run in the background. This enables the program to execute automatically at specified intervals, ensuring users are locked or unlocked according to predefined criteria. It's recommended to thoroughly test the program in a non-production environment before scheduling it in a production system to ensure proper functionality and minimize potential disruptions. Follow the below steps to schedule the job in the background:

  1. Execute transaction SE38 and input the program RSUSR_LOCK_USERS, then proceed to execute it.
  2. Define the criteria for locking/unlocking or ending the validity of the user.  
  3. Click "Program" to schedule the job in the background or press F9

     GRCwithRaghu_7-1716214002429.png

 

4. Specify the frequency at which the job should run and click Save.

When you have multiple criteria to schedule in the background, specify your criteria and press Ctrl+S to save as a variant as shown below:

GRCwithRaghu_8-1716214093015.png

After saving the variants, the job can now be scheduled in the background via transaction code SM36.

Conclusion

The RSUSR_LOCK_USERS program is an indispensable tool for SAP administrators, providing critical insights and control over user account management. By effectively utilizing this program, organizations can enhance their security posture, ensure compliance with regulations, and maintain smooth operational workflows. Regular use and prompt action on the findings of the RSUSR_LOCK_USERS report will help in minimizing user access issues and reinforcing overall system security.

2 Comments
Labels in this area
Popular Blog Posts
Top kudoed authors
View all