10-09-2009 12:24 PM
Hi to all:
We need to know if exist standard report to unlock users with status gc_ulock=80 (locked due to incorrect pw) and generate password and sending e-mail to email account that is set in User Master Data of this user.
Thanks in advance!!!
10-09-2009 12:30 PM
Not that I know of. No.
Furthermore, I can't think of any solution that does not involve making a customer copy of SU01, for example, and plugging in some of your own code.
10-09-2009 12:25 PM
10-09-2009 12:30 PM
Not that I know of. No.
Furthermore, I can't think of any solution that does not involve making a customer copy of SU01, for example, and plugging in some of your own code.
10-09-2009 12:49 PM
I suppose that you could have a batch job which runs through USR02 looking for users with lock status 128.
It then could use BAPI_USER_CHANGE to unlock and generate a password which is then fired over to the user etc, etc.
10-09-2009 1:18 PM
That would be a very self-defeating security mechanism and would make attacks against a system configured this way trivial.
There's a reason SAP did not include such a functionality.
10-09-2009 2:31 PM
Yes these are my requirements.
I will scheduled a job to do this, but i prefer standard program to do this.
Thanks and advance.
10-09-2009 2:37 PM
Martinsh Shaiters: Why do you say this? I can not understand the security problems for this, only one, the hacker can modify the program and change the statement for sending email to User Master Data email to her email... but many reasons to can not do it:
1.- The limitation of the users in productive environment to can edit programs or scheduled jobs with Authorization Objects.
2.- The system have Audit Log activated and we can check in SCOT and other logs the receiver of the mails.
I can not see other problems and if you see other one, please let me see it.
Thanks in advance
10-09-2009 3:02 PM
The risk as I see it is that all someone would need is access to a workstation logged in by another user.
They could fire up SAP Gui & log in a few hence locking the userID. Email is sent to the workstation & typically does not require separate authentication. Someoen can pick up the new password and log in using the other persons userID.
In many ways it is no different to having SSO setup so network authentication via client login gives access to SAP. In my experience the authentication procedures are usually a bit better when this is used.
Juan, USR02 & BAPI_USER_CHANGE are somewhere to start. You will also need to ID an FM for sending the email and also the table to pick out the email address, possibly ADR7 and maybe V_USERNAME.
Auto unlock is not something that I would advocate personally but each to their own.
10-09-2009 3:18 PM
A malicious person could:
1) identify a user with critical authorizations;
2) intentionally force the account to be locked due to incorrect logons;
3) gain access to or intercept the email containing the new temporary password.
As a result you would have a malicious user accessing your system.
I understand that unlocking users that are locked due to incorrect logon, setting a new password and notifying the user about it does add what appears to be an unnecessary workload to user admin's workload but so does picking up the pieces after you've had a malicious user on your system.
10-09-2009 2:37 PM