Skip to Content
avatar image
Former Member

lock/unlock Abap users

Hi guys,

is it correct that we have to create a separate task for each repositor(/SAP SID_CLIENT) ? Or is there another method, for example to get a choice of all existing repositories(we currently have ~250 clients on 60 SAP Systems plus a couple of Java instances). That means to have just one task which offers all (Abap-)repositories for selection.

Regards

Juergen

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • avatar image
    Former Member
    Jun 17, 2010 at 08:08 AM

    Hi

    You could create an ACOUNT<repName>LOCKED-Attribute for each repository (similar to MX_LOCKED). In your InitialLoad/Update Jobs you fill that attribute with the current value. And you have to update the Modify-Tasks as well, of course.

    There may be a more flexible approach I would also like to know about.

    Maybe this helps

    BR

    Michael

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jun 17, 2010 at 08:23 AM

    You can use the one UpdateABAPUser Task

    Like Michael said you create an attribute called LOCKEDXXXYYY.

    You then make a script that checks if a user is locked globaly (MX_LOCKED) or in the specfic repository.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jun 17, 2010 at 08:46 AM

    Hi Michael,

    I want to use std. task "LockUnlockABAPUser"(from the SAP Prov. Framework). In that task just one single rep can be assigned what means that I have to create a separate task for each sap system/client . Correct?

    Isn't it possible to have one task for all reps? That means, an IDM admin starts this single task via WebUI and gets a selection of all SID/Clients. Then the admin just has to mark the involved sid/client(s) for the abap user to lock/unlock that ID.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      As far as I found out the LockABAP-Task is not used (anymore?) in the SPF (although available).

      If you change any user-related attribute (e.g. ACCOUNTrepNameLOCKED) the ModifyUser-Event task is called anyway, so why don't use the provided functionality?!

      Your request is solved if you do it the way we suggested. You "only" have to create 260 attributes (or use automatic creation and change the Jobs) and adjust the Modify<systemtype>UserTask. The ModifyUser-Event task then finds the correct repository for you.

      Christian once told me this solution in another thread here on SDN and it works for me (kudos to him)