Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Password reset based on UFLAG

Go to solution
dortheb
Explorer

on ‎2022 Oct 17 1:41 PM

0 Likes
1,164

Hi,

I need to create a new role, where selected employees can help colleagues in situations where they have been locked due to too many failed attempts.

This mean they must have access to un-lock the user and to reset password. The un-lock must only be valid for UFLAG=128.

Is this possible?

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
Sandra_Rossi
Active Contributor
‎2022 Oct 17 2:34 PM
0 Likes

To know if it's possible, you should trace the authorizations used when someone unlocks a user. Please do it and revert back if you need further help.

Accepted Solutions (1)

Accepted Solutions (1)

jmodaal
Active Contributor
‎2022 Oct 21 9:23 AM

Hello,

this could become difficult, because on level of authorization the needed differentiation of the value of the lock flag is not possible. Even between locking and unlocking no difference is made. Only possibility I can think of is creating a small ABAP program and offering this program in a transaction, to be used to the selected users instead of SU01 / SU10 (which of course consequently should not be available to the selected users). Additionally to the authorization for the transaction an authorization for S_USER_GRP / ACTIVITY=5 / CLASS=<user group of the users to be unlocked> is necessary.

Small (very simple) ABAP program, to be offered in a report transaction: 

REPORT z_unlock_user_uflag128 line-size 132.
* F4 values for selecting the user(s).
data: f4User like usr02-bname.
select-options: sUsers for f4User obligatory.
data: unlockResult type standard table of BAPIRET2.
select bname from usr02 into table @data(users2Unlock)
    where bname in @sUsers
    and uflag = 128.
select bname, uflag from usr02 into table @data(usersOutOfScope)
    where bname in @sUsers
    and uflag <> 128.
if ( lines( users2Unlock ) > 0 ).
  loop at users2Unlock reference into data(user).
    call function 'BAPI_USER_UNLOCK'
      EXPORTING USERNAME = user->*
      TABLES    RETURN   = unlockResult.
    write:/ 'Result of attempt to unlock user', user->*, ':'.
    loop at unlockResult reference into data(rLine).
      write:/ rLine->type, rLine->id, rLine->number, rLine->message.
    endloop.
  endloop.
  commit work.
else.
  write:/ 'No users found to be unlocked.'.
endif.
if ( lines( usersOutOfScope ) > 0 ).
  write:/ 'These users do not have a lock due to too many invalid login attempts and were not touched:'.
  loop at usersOutOfScope reference into data(userOutOfScope).
    write:/ userOutOfScope->bname, userOutOfScope->uflag.
  endloop.
endif.

You could also think about a self-service for unlocking the own user. There are lots of companies offering this as a product.

Kind regards

Jan

Show replies
Show replies

Answers (2)

Answers (2)

dortheb
Explorer
‎2022 Oct 21 9:30 AM
0 Likes

Thanks a lot @jan modal, I would give this a go

//dorthe

Show replies
Show replies
dortheb
Explorer
‎2022 Oct 18 6:46 AM
0 Likes

Thanks for the input. Unfortunately the trace doesn't mention anything about UFLAG. Only activity 5 = Lock

I want to achieve a solution where the dedicated user, can remove lock due to too many failed attempt but now the lock set by Admin.

Apparently this can be achieved if the Admin lock is set as Global lock in CUA, but that does not suit my need. Global lock in CUA will lock the user in all systems. As an example is that I use to have my external consultants locked in Production but not in Test and development.

Any idea on how to achieve the functionality is highly appreciated.

Show replies
Show replies
Ask a Question