Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Password reset based on UFLAG

Go to solution
dortheb
Explorer

on ‎2022 Oct 17 1:41 PM

0 Likes
1,165

Hi,

I need to create a new role, where selected employees can help colleagues in situations where they have been locked due to too many failed attempts.

This mean they must have access to un-lock the user and to reset password. The un-lock must only be valid for UFLAG=128.

Is this possible?

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
Sandra_Rossi
Active Contributor
‎2022 Oct 17 2:34 PM
0 Likes

To know if it's possible, you should trace the authorizations used when someone unlocks a user. Please do it and revert back if you need further help.

View Entire Topic
jmodaal
Active Contributor
‎2022 Oct 21 9:23 AM

Hello,

this could become difficult, because on level of authorization the needed differentiation of the value of the lock flag is not possible. Even between locking and unlocking no difference is made. Only possibility I can think of is creating a small ABAP program and offering this program in a transaction, to be used to the selected users instead of SU01 / SU10 (which of course consequently should not be available to the selected users). Additionally to the authorization for the transaction an authorization for S_USER_GRP / ACTIVITY=5 / CLASS=<user group of the users to be unlocked> is necessary.

Small (very simple) ABAP program, to be offered in a report transaction: 

REPORT z_unlock_user_uflag128 line-size 132.
* F4 values for selecting the user(s).
data: f4User like usr02-bname.
select-options: sUsers for f4User obligatory.
data: unlockResult type standard table of BAPIRET2.
select bname from usr02 into table @data(users2Unlock)
    where bname in @sUsers
    and uflag = 128.
select bname, uflag from usr02 into table @data(usersOutOfScope)
    where bname in @sUsers
    and uflag <> 128.
if ( lines( users2Unlock ) > 0 ).
  loop at users2Unlock reference into data(user).
    call function 'BAPI_USER_UNLOCK'
      EXPORTING USERNAME = user->*
      TABLES    RETURN   = unlockResult.
    write:/ 'Result of attempt to unlock user', user->*, ':'.
    loop at unlockResult reference into data(rLine).
      write:/ rLine->type, rLine->id, rLine->number, rLine->message.
    endloop.
  endloop.
  commit work.
else.
  write:/ 'No users found to be unlocked.'.
endif.
if ( lines( usersOutOfScope ) > 0 ).
  write:/ 'These users do not have a lock due to too many invalid login attempts and were not touched:'.
  loop at usersOutOfScope reference into data(userOutOfScope).
    write:/ userOutOfScope->bname, userOutOfScope->uflag.
  endloop.
endif.

You could also think about a self-service for unlocking the own user. There are lots of companies offering this as a product.

Kind regards

Jan

Show replies
Show replies
Ask a Question