Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Restrict to only creating z users

Former Member
0 Kudos

Is there a way to restict only creating say ... "Z" (test) users? I know you can restrict user groups by using s_user_grp but have not found a way to restrict only creating certain users.

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hi Margie,

What are you trying to do? Are you trying to do this on the UME or ABAP?

you want to have users name starting with every other letter except Z?

14 REPLIES 14

Former Member
0 Kudos

Hi,

There is no restriction on users creation.

Thanks,

sri

0 Kudos

Sri, so this is not possible i.e. restricting admin from creating only i.e. z users.

0 Kudos

Margie,

Based on your information provided.

(1) ABAP

(2) Yes, we are trying to restrict certain user admins from only creating z users (test users). So they will only be able to create users like zsally, ztom, zfred, etc.

Once again, There is no Authorization object that allows Admins to specify a particular user name on SU01.

Workaround

Try through user exit / BAPI (BAPI_USER_CREATE)

Userexit avaliable for Su01, SUSR0001 - User exit after logon to SAP System.

Function module exit - EXIT_SAPLSUSF_001

to find the user exits & Badi's for the T-code..

go to table TSTC>enter T-code and execute> get the Program for the t-code..

and go to-se38-->get the package attached to the t-code..

next go to t-code Se15>expand the enhacement tab>enter package under userexit and

execute you will get the list of exits

available...

-->enter package under Badi's tab and

execute you will get the list of Badi's

available...

All the User exits are stored in Table MODSAP..

or

you can find all the Badi's and User Exits by following this steps also...

suppose for Transaction VA01.

go to se93 provide VA01 and click display,there you will get the package VA.

Now go to SE84 > ENhancements >Bisuness Add-ins >Definitons >Package as VA >F8 then you will get set of BADI's related to that Transaction.

NOTE: I am not sure how much you can accomplish with user exit & BAPI menthod. These are only workarounds

Thanks,

Sri

0 Kudos

Hi,

the user exit SUSR0001 is completely useless in this scenario. This user exit is called after log on of dialog user into system. How could this user exit prevent user from creating a new user with "invalid" user name?

I guess that providing link to [wiki page|http://wiki.sdn.sap.com/wiki/display/ABAP/FindingaBADIusingRepositoryInformationSystem-SE84+(Screenshots)] is a better option than copy & paste into reply.

Cheers

0 Kudos

Martin,

What I mentioned is :

Workaround

Try through user exit / BAPI (BAPI_USER_CREATE)

Userexit avaliable for Su01, SUSR0001 - __User exit after logon to SAP System__.

did i mentioned anywhere, SUSR0001 will restrict user on naming convention?

Function module exit - EXIT_SAPLSUSF_001

Finally we need be aware,How many user exit are there for Su01?

1.refer to the nOTE : NOTE: I am not sure how much you can accomplish with user exit & BAPI menthod. These are only workarounds

2. Why did I mentioned the methods of finding available user exit / BAPI ?

lets imagine, If SUSR0001 has solved the issue. then there is no need for me to mention the method for finding user exits. right

I guess that providing link to wiki page is a better option than copy & paste into reply.

Solution is more important. whether you post the link or paste it. Anyway thanks for the link.

from next time onwards we will search in wiki,before doing google search.

Finally there is nothing wrong i mentioned. read properly

Cheers,

Sri

0 Kudos

Once again, you guys are awesome. Thanks for the replys. Very Helpful!!!

0 Kudos

> Userexit avaliable for Su01, SUSR0001 - __User exit after logon to SAP System__.

Wrong.

> did i mentioned anywhere, SUSR0001 will restrict user on naming convention?

Well... that is what the question is, and this exit has nothing to do with SU01. It is triggered after the successfull login and before a SAPGui session is attached.

Note that irrelevant "linkfarming" will be removed by moderators. Repeated copy&pasting without referencing the source is plagarism and can result in the deletion of the user ID (guestification exit...).

Back to the topic:

The SU01 exits are described in [SAP Note 367660|https://service.sap.com/sap/support/notes/367660] (which is currently not released anymore at this moment as the exits are only available up to release 7.00) and are replaced by BADI's (as requested by Martin, but details are not known to me, yet).

Cheers,

Julius

mvoros
Active Contributor
0 Kudos

Hi,

how do you know which user is "Z" and which one is not. If you just use name of the user then there is no authorization object which yoiu can user. But if "Z" user should have only restricted roles then you can use object S_USER_AGR to allow administrator to assign just sub set of security roles.

Cheers

Former Member
0 Kudos

Hi Margie,

What are you trying to do? Are you trying to do this on the UME or ABAP?

you want to have users name starting with every other letter except Z?

0 Kudos

Greetings,

(1) ABAP

(2) Yes, we are trying to restrict certain user admins from only creating z users (test users). So they will only be able to create users like zsally, ztom, zfred, etc.

0 Kudos

Hi,

As a workaround you can create a custom report which will create a user using SAP API (search for identity management API) and it will perform additional checks.

Another thing could be to look for suitable enhancement point where you could implement additional checks.

It would be nice if SAP could provide some BADIs for user creation.

Cheers

Former Member
0 Kudos

This message was moderated.

Former Member
0 Kudos

Hi ,

There is no sap delivered solution for your requirement so you have to do your own customization.

If you want to restrict the way you want, create new authorization object which has fields like Usergroup, username, activity and deactivate sap standard one and use this new authorization object.

Regards,

Rakesh

Former Member
0 Kudos

>

> Is there a way to restict only creating say ... "Z" (test) users? I know you can restrict user groups by using s_user_grp but have not found a way to restrict only creating certain users.

If your question is just about creating test ids, create using ECATT script for SU01. Search SDN for ECATT SU01 article if you do not know how to use it and you will find it. That way you could avoid any custom development.

My assumption is that it is not production system based on the fact that you mentioned test users. Normally production setting does not allow ECATT