Are you finding it challenging to use EWZ5 for locking and unlocking users during upgrade activities? Have you discovered that this transaction code is now obsolete and are you relying on a custom program? If so, consider using the ABAP program RSUSR_LOCK_USERS.
This program simplifies the user locking and unlocking process, making it an invaluable tool for managing user accounts efficiently during system upgrades.
Understanding RSUSR_LOCK_USERS
RSUSR_LOCK_USERS is a simple yet effective program that is built on top of RSUSR200 program. Here is the list of options available in the program screen:
As highlighted in the picture, the RSUSR_LOCK_USERS report offers the following sections:
Section | What it offers? |
User Selection | This section offers the following: User – Selection of specific users. Group for Authorization – Uses SU01 user group assignments and picks the users based on the group assignment. Security Policies – Uses the Security Policy assigned to the user in SU01. Days Since Last Logon – To specify the no.of days since last login (for eg: If you wish to lock the users who haven’t logged-in to the system in the last 90 days, enter the value as 90). Days Since Password Change – To select users based on last password change. |
Selection by Validity of users | Selection by Validity of users can be filtered by today's validity or by a specific period. Today (current date) – This option will specifically check for valid and invalid users of current date.
Validity Period – This option will specifically check for valid and invalid users over a specified period of time.
|
Selection by Locks | This option facilitates filtering users based on their lock status. Below are the lock criteria that can be considered. Selecting one of these options is mandatory (Radio button selection).
Differentiation of Locks
When the value " Not Set" is selected, it will exclude the list of users who have been locked by the administrator, with lock statuses of 32 and 64
|
Selection by Login attempts | This section sorts users based on their login attempts to the SAP system. By default, all options are selected, and you can deselect a box to exclude. Alternatively, all boxes can be unchecked if you do not wish to use this option.
|
Selection by User Type | Selection by User Type filters users based on the user type defined in SU01. For example, you can lock only dialog users based on conditions specified within this program, such as users who have not logged into the system for a specific period of time. Below are the user types available under this criteria:
NOTE: By default, all options are selected, and you can deselect a box to exclude. Alternatively, all boxes can be unchecked if you do not wish to use this option. |
Selection by status of password | This section will be considered the users based on the status of the user password.
As selection type “Selection by Login attempts and Selection by User Type”, by default, all options are selected here as well, and you can deselect a box to exclude. |
Activity selection | Once all the selection criteria are defined according to your requirements, you can proceed to the Activity selection option to specify your actions. Based on the conditions specified above, the result will now be executable. Below are the actions that can be taken when you execute the program.
|
As mentioned, RSUSR_LOCK_USERS aids in compliance and audit processes by providing a clear record of user account status and actions taken. This ensures that the organization can demonstrate adherence to security policies and regulations.
How to Use RSUSR_LOCK_USERS?
Consider the following condition for ending the validity of users as a reference. I have selected dialog users regardless of their password status—whether it's production, initial, or deactivated—and those who are already locked by the admin or due to password lock. Additionally, I have chosen users without logon data under "Selection by Logon Attempts." Once users meeting the defined criteria are identified, their ID validity should be set to end with yesterday’s date.
After executing the program, the output will display the User IDs for which changes were made.
Result: According to the given criteria, user validity is ended with yesterday's date. The program was executed on 20.05.2024, so the user validity is set to end on 19.05.2024.
Additionally, the program can be scheduled to run at regular intervals, ensuring that administrators are always aware of any locked user accounts. Automation can help in maintaining continuous oversight without manual intervention.
Steps to schedule the job in the background:
To automate the locking, unlocking, and validity ending of users without manual intervention, you can schedule this job to run in the background. This enables the program to execute automatically at specified intervals, ensuring users are locked or unlocked according to predefined criteria. It's recommended to thoroughly test the program in a non-production environment before scheduling it in a production system to ensure proper functionality and minimize potential disruptions. Follow the below steps to schedule the job in the background:
4. Specify the frequency at which the job should run and click Save.
When you have multiple criteria to schedule in the background, specify your criteria and press Ctrl+S to save as a variant as shown below:
After saving the variants, the job can now be scheduled in the background via transaction code SM36.
Conclusion
The RSUSR_LOCK_USERS program is an indispensable tool for SAP administrators, providing critical insights and control over user account management. By effectively utilizing this program, organizations can enhance their security posture, ensure compliance with regulations, and maintain smooth operational workflows. Regular use and prompt action on the findings of the RSUSR_LOCK_USERS report will help in minimizing user access issues and reinforcing overall system security.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.