Skip to Content
author's profile photo Former Member
Former Member

How to lock SAP users prior to starting SAP.

Hi All,

We need a way of locking all users (except for 3 special ones) in our SAP system, before we start SAP. For example. When we perform a disaster recovery, we do not want ANY users to logon on to the system until we have checked the system out. We cannot use SU10 as users can logon between the time SAP is started and SU10 is run. I would think there is some SQL we could run on the "USR" tables to perform the tasks.

Has anyone done anything similar?


Tony Lewis

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Jan 11, 2007 at 03:04 AM

    Hi Tony,

    very interesting question!

    the solution is to execute the following query at SQL prompt,

    <i><b>update USR02 set uflag=128 where <condition like BNAME != 'xyz'>;</b></i>

    the above query will lock all the users except 'xyz'.

    the possible values of uflag are..

    0 --> not locked

    32 --> globally locked by administrator

    64 --> locally locked by administrator

    128 --> locked due to incorrect loggins.

    but, plz do take care while handling tables thru SQL queries directly.

    hope this info will help!

    with BR,


    <i>award suitable points</i>

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jan 11, 2007 at 08:18 AM

    <b>I strongly disencourage you from manipulating those USR tables.</b>

    A better solution for your problem could be the usage of firewalls (placed between the network where the users reside and the server network). You could then only allow client access which is originated from dedicated machines - all others would be blocked out on the network level. Once you block those ports it will take immediate effect - terminating existing connections (with data loss).


    use a firewall (packet filter) in conjunction with a SAProuter to control SAPGUI and RFC traffic between the clients and the servers; you can modify the ACL of the SAProuter during operations (and notify the SAProuter on the changes which will then take immediate effect); in contrast to the previous approach that will only block users which request new connections, however. The SAProuter ACL also allows to impose a (SAProuter) password-controlled access. That can be helpful if you cannot define a list of IP addresses for those "3 special ones" that are to be excepted from the blocking; all you need to do is to tell those users the (case-sensitive) SAProuter password.

    Regards, Wolfgang

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.