Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Report Unlock Locked users and sending e-mail

Former Member
0 Kudos

Hi to all:

We need to know if exist standard report to unlock users with status gc_ulock=80 (locked due to incorrect pw) and generate password and sending e-mail to email account that is set in User Master Data of this user.

Thanks in advance!!!

1 ACCEPTED SOLUTION

Private_Member_119218
Active Participant
0 Kudos

Not that I know of. No.

Furthermore, I can't think of any solution that does not involve making a customer copy of SU01, for example, and plugging in some of your own code.

9 REPLIES 9

Former Member
0 Kudos

There is no standard report to do this.

Private_Member_119218
Active Participant
0 Kudos

Not that I know of. No.

Furthermore, I can't think of any solution that does not involve making a customer copy of SU01, for example, and plugging in some of your own code.

0 Kudos

I suppose that you could have a batch job which runs through USR02 looking for users with lock status 128.

It then could use BAPI_USER_CHANGE to unlock and generate a password which is then fired over to the user etc, etc.

0 Kudos

That would be a very self-defeating security mechanism and would make attacks against a system configured this way trivial.

There's a reason SAP did not include such a functionality.

0 Kudos

Yes these are my requirements.

I will scheduled a job to do this, but i prefer standard program to do this.

Thanks and advance.

0 Kudos

Martinsh Shaiters: Why do you say this? I can not understand the security problems for this, only one, the hacker can modify the program and change the statement for sending email to User Master Data email to her email... but many reasons to can not do it:

1.- The limitation of the users in productive environment to can edit programs or scheduled jobs with Authorization Objects.

2.- The system have Audit Log activated and we can check in SCOT and other logs the receiver of the mails.

I can not see other problems and if you see other one, please let me see it.

Thanks in advance

0 Kudos

The risk as I see it is that all someone would need is access to a workstation logged in by another user.

They could fire up SAP Gui & log in a few hence locking the userID. Email is sent to the workstation & typically does not require separate authentication. Someoen can pick up the new password and log in using the other persons userID.

In many ways it is no different to having SSO setup so network authentication via client login gives access to SAP. In my experience the authentication procedures are usually a bit better when this is used.

Juan, USR02 & BAPI_USER_CHANGE are somewhere to start. You will also need to ID an FM for sending the email and also the table to pick out the email address, possibly ADR7 and maybe V_USERNAME.

Auto unlock is not something that I would advocate personally but each to their own.

0 Kudos

A malicious person could:

1) identify a user with critical authorizations;

2) intentionally force the account to be locked due to incorrect logons;

3) gain access to or intercept the email containing the new temporary password.

As a result you would have a malicious user accessing your system.

I understand that unlocking users that are locked due to incorrect logon, setting a new password and notifying the user about it does add what appears to be an unnecessary workload to user admin's workload but so does picking up the pieces after you've had a malicious user on your system.

Former Member
0 Kudos

BAPI_USER_CHANGE and USR02. There is not standard program for do it.