Solved: How to lock SAP users prior to starting SAP.

Former Member · ‎01-11-2007

Hi All,

We need a way of locking all users (except for 3 special ones) in our SAP system, before we start SAP. For example. When we perform a disaster recovery, we do not want ANY users to logon on to the system until we have checked the system out. We cannot use SU10 as users can logon between the time SAP is started and SU10 is run. I would think there is some SQL we could run on the "USR" tables to perform the tasks.

Has anyone done anything similar?

regards

Tony Lewis

Former Member · ‎01-11-2007

Hi Tony,

very interesting question!

the solution is to execute the following query at SQL prompt,

update USR02 set uflag=128 where <condition like BNAME != 'xyz'>;

the above query will lock all the users except 'xyz'.

the possible values of uflag are..

0 --> not locked

32 --> globally locked by administrator

64 --> locally locked by administrator

128 --> locked due to incorrect loggins.

but, plz do take care while handling tables thru SQL queries directly.

hope this info will help!

with BR,

Rajesh.

award suitable points

Former Member · ‎01-11-2007

Hi Tony,

very interesting question!

the solution is to execute the following query at SQL prompt,

update USR02 set uflag=128 where <condition like BNAME != 'xyz'>;

the above query will lock all the users except 'xyz'.

the possible values of uflag are..

0 --> not locked

32 --> globally locked by administrator

64 --> locally locked by administrator

128 --> locked due to incorrect loggins.

but, plz do take care while handling tables thru SQL queries directly.

hope this info will help!

with BR,

Rajesh.

award suitable points

Former Member · ‎01-11-2007

Rajesh,

Thanks for your solution, I wasn't sure how to set the uflag.

I have tested it and it works fine, however I had to take the following into account:

- I included where MANDT = 'nnn' , I didn't need to look users across all clients, just 1 client

- The SAP system must be shut down. If you want to lock users while SAP is up SU10 s/be used, due to buffering of the USR tables. I tried to test it initially with SAP up, but it didn't work. With SAP down it is fine, and that is what I want anyway.

regards

Tony Lewis

Former Member · ‎01-11-2007

An alternate solution on the ABAP system itself is an old report / transaction from the Euro currency conversions. The transaction code starts with EW.. (cant remember).

If I remember correctly, you can specify your 3 special users as "Euro conversion admins" and then lock / unlock all the rest on one go.

I am not sure whether it is still there in the latest releases.

Cheers,

Julius

Former Member · ‎01-11-2007

Hi Tony,

Tcode: EWZ5

Report: EWULKUSR

You can give the points to google!

Julius

PS: Sorry, my error. You would need to do this before stopping SAP in this case.

Message was edited by:

Julius Bussche

WolfgangJanzen · ‎01-11-2007

I strongly disencourage you from manipulating those USR tables.

A better solution for your problem could be the usage of firewalls (placed between the network where the users reside and the server network). You could then only allow client access which is originated from dedicated machines - all others would be blocked out on the network level. Once you block those ports it will take immediate effect - terminating existing connections (with data loss).

Refinement:

use a firewall (packet filter) in conjunction with a SAProuter to control SAPGUI and RFC traffic between the clients and the servers; you can modify the ACL of the SAProuter during operations (and notify the SAProuter on the changes which will then take immediate effect); in contrast to the previous approach that will only block users which request new connections, however. The SAProuter ACL also allows to impose a (SAProuter) password-controlled access. That can be helpful if you cannot define a list of IP addresses for those "3 special ones" that are to be excepted from the blocking; all you need to do is to tell those users the (case-sensitive) SAProuter password.

Regards, Wolfgang