cancel
Showing results for 
Search instead for 
Did you mean: 

Can Password Self Service unlock User?

Former Member
0 Kudos
1,667

Hi All

As I know, the PSS can only reset the user's password whose status is not locked.

My question is that, if the account has been locked because of too many error password inputted, can we use PSS to unlock the locked account and reset the password? While the account which has been locked by administrator should be limited to use PSS

Hope someone can help me, thank you in advance

BR, James

Accepted Solutions (1)

Accepted Solutions (1)

madhusap
Active Contributor
0 Kudos

Hi James,

Using PSS, password can be reset in the below scenarios

1. Initial password set by admin and the user hasn't logged in yet. Now user can reset password using PSS

2. For the users where password is deactivated, PSS will not work.

3. PSS will not work if the user is locked by Administrator.

4. User ID locked due to incorrect logon can be reset using PSS where UserID will be unlocked and password will be reset.

5. Number of times a User can reset password in a day depends on the RZ11 parameter login/password_change_waittime

6. PSS can be used to reset the password when it is expired or when the initial password is expired.

7. If the PSS user gives wrong answer, system will show a message that "UserID is Locked" and then user cannot reset his password.

In this scenario, admin can unlock the user to use PSS from the below path

Access Management -> Access Request Administration -> Manage Password Self Service (PSS)

Regards,

Madhu.

Former Member
0 Kudos


Hi Madhu

It's really helpfull, thank you very much

Best regards

James

former_member704195
Participant
0 Kudos

Hi James,

Please see below incidents.

1.Administrator plays an important role, if admin locks it then PSS will not work.

2. If user is locked via entering wrong passwords then using PSS it can be unlocked and password can be reset.

3. When passoword is expired using PSS new password can be set. Password Self Service (PSS)

Let me know if you need further info.

Regards,

Nidhi Mahajan.

Former Member
0 Kudos

Hi Madhu

I'm trying to test the scenario "4. User ID locked due to incorrect logon can be reset using PSS where UserID will be unlocked and password will be reset." It seems that PSS cannot be used for the locked User ID because of incorrect logon

Please refer to the snapshot, not sure if there's any configuration to enable this funciton

Best regards

James

former_member704195
Participant
0 Kudos

Yes James, In that case Administrators comes into picture

Only he can unlock the user using Su01.

Regards,

Nidhi Mahajan

Former Member
0 Kudos


Hi Nidhi

Thanks for your reply

I'm trying to unlock user because of wrong password but failed, I checked the background database table, the status of locked user is 192 (Should be 128, right?). Maybe this is the root cause why PSS cannot be used for locked user

Best regards

James

Former Member
0 Kudos

Hi Nidhi,

If you have activated the Access Request workflow in GRC, I would recommend creating a workflow path to deal with Locking and Unlocking user ID's, rather than having someone manually go into the individual target systems and perform a Admin Lock/Unlock in SU01 (or even SU10).

Former Member
0 Kudos


Hi Nidhi, Hi Madh

If the status of locked user is 128, PSS can be used to reset password and unlock user.  While the PSS cannot be used for the user status 192

Best regards

James

former_member704195
Participant
0 Kudos

Hi James,

Yes in that case it has to done directly from Su01. if 128 then it would have been done from PSS.

Enjoy the day.

Colleen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi James

you beat me to the question!

128 lock is purely incorrect password lock. Any other lock would be due to deliberate lock by system admin

I would be concerned if PSS did not resolve 128 lock - otherwise why both having PSS if user has to perform two request and you have to implement ARQ as well as PSS

Thanks for jumping in with the clarification!

Regards

Colleen

Former Member
0 Kudos

Hi Colleen

In my testing, status 192 is also because of the incorrect password lock, but it seems that PSS can only support 128 except 192.  I'm wondering how did the status 192 generated since 192 is not the standard user status

Regards

James

Colleen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi James

This is a security question...

192 = 128 (Incorrect Logon) + 64 (Local System Admin Lock)

It meant the user had incorrect attempts (whatever your password parameter allowed) and so became locked - hence the value 128. However, the System Administrator then came along and added performed a lock (hence the 64). SAP adds locks together so you can see the sequence but only 128 is considered incorrect.

Your use change documents should reflect this sequence

From PSS point of view, 128 is due to password fault whilst all other lock values are deliberate and therefore should go down the ARQ process to be reviewed and approved.

Regards

Colleen

Former Member
0 Kudos

Hi Colleen

I checked the changed log, it's really same with what you told me.  Thank you very much

Best regards

James

Amparo_Gómez
Explorer
0 Kudos

Excelente helpfull,

I solved my problem too

Answers (1)

Answers (1)

former_member809675
Discoverer
0 Kudos

Dear,

For scenario 7 you listed as above, admin can only search its own account ID, but cannot search other accounts in Manage PSS, Is there any configuration that needs to be set?