Application Development Blog Posts
Learn and share on deeper, cross technology development topics such as integration and connectivity, automation, cloud extensibility, developing at scale, and security.
cancel
Showing results for 
Search instead for 
Did you mean: 
former_member204634
Participant

User Parameter update in SU01 is not possible via usual automation scripting tools that we have - SECATT and LSMW, as far as my experience with testing those solutions for user parameter update goes it came to the point that there was no field that BDC code will recognize for user parameter such as we have straightforward fields for other SU01 tabs as roles, address or logon data tab. Hence the solution involving SECATT or LSMW would not work as the user parameters because we need to input parameter id and value as a variables but they dont not have a corresponding place holder field that we can utilize for this activity. For this reason its a big issue for security administrators if they ever need to mass update user parameter for large group of users in the system. For example there can be a scenario where you are setting up users for regression testing and copying their production access to regression testing box - you set their roles/user address/user group etc. information properly but now also need to set their user parameters and defaults tab value as it is in production. Defaults tab can be worked out via LSMW or SECATT but the real issue will be user parameters. I see some threads on SCN suggesting that we record SU10 in BDC mode of LSMW/SECATT and try to input one parameter variable and value at a time. As mentioned earlier this did not work for me but it may work for the SECATT/LSMW experts out there.

I used an alternate approach of using BAPI to achieve the same purpose - now this is not at all new thing or likewise but from a typical security admin point of view - its hard to know ABAP (though you should) and hard to catch hold of an ABAPer who has the time to focus on security :smile: [though its wonderful if security and ABAP combination can be at work - either the ABAPer taking interest in security, or security admin taking interest in ABAP or ABAPer and Security person taking interest in a common problem - good enough amount of Permutations and Combinations !!]

Below is a sample code for updating user parameters, This is just one of the way to achieve this task and code is from a beginner's level, scrappy, not at all polished or neat and though you will find lot of code discussion on user parameter that go on in ABAP forums on this topic - I dont know if there is a forum that discusses the user parameter changes from end to end perspective in security space so that security consultant can believe they have something they can implement, in short this works (at least for me in my sandbox system and should work for you as well till SAP changes ABAP syntax/some other premise/assumptions)

I have used following functional modules:

(a) 'TEXT_CONVERT_XLS_TO_SAP -> this converts the input excel file containing 3 columns - User id, Parameter id and Parameter Value into SAP data of a table with 3 columns

(b) BAPI - BAPI_USER_CHANGE' - this BAPI takes care of all user change functions and you can read the code and check se37 and se11 on this BAPI and the tables and structures it supports. This is it for solving a lot of issues related to security automation and thought i havent used it a lot - a logical extension of this would be to use it for a such a wide variety of features like default tabs, passwords etc. though these functions can be managed via LSMW/SECATT.

Premise obviously is that as we are using User change BAPI - user does exist in system and only thing we need to focus upon is user parameter updation.

My suggestion would be to break the program into small pieces of code and write and practice it for yourself and debug it to understand how it works.

Wish you a Happy updating of user parameters :smile:

*&---------------------------------------------------------------------*

*& Report  ZUSR05_YAT3

*&

*&---------------------------------------------------------------------*

*&

*&

*&---------------------------------------------------------------------*

REPORT  ZUSR05_YAT3.

TABLES: usr05.

type-pools TRUXS.

types: BEGIN OF ty_usr,

         bname TYPE usr05-bname,

         parid TYPE usr05-parid,

         parva   TYPE usr05-parva,

       END OF ty_usr.

DATA: it_usr TYPE STANDARD TABLE OF ty_usr,

      wa_usr TYPE ty_usr,

      wa_usr02 TYPE BAPIBNAME,

      wa_usr05 TYPE BAPIPARAM,

      wa_usr05x TYPE BAPIPARAMX,

      it_usr05 TYPE STANDARD TABLE OF BAPIPARAM1,

      it_usr05x TYPE STANDARD TABLE OF BAPIPARAM1,

      it_bapirtn LIKE bapiret2 occurs 0 with  HEADER LINE,

      wa_bapirtn TYPE bapiret2,

      E_ERROR TYPE STRING.

DATA :  it_raw TYPE truxs_t_text_data,

        lv_tabix TYPE i.

CONSTANTS: c_x TYPE c VALUE 'X'.

PARAMETER:  p_usr05   TYPE rlgrap-filename.

AT SELECTION-SCREEN ON VALUE-REQUEST FOR p_usr05.

  CALL FUNCTION 'F4_FILENAME'

    EXPORTING

*     PROGRAM_NAME  = 'Z'

*     DYNPRO_NUMBER = '1000'

      field_name    = 'P_HD'

    IMPORTING

      file_name     = p_usr05.

START-OF-SELECTION.

  PERFORM upload.

  PERFORM bapi_sub.

FORM upload .

  CALL FUNCTION 'TEXT_CONVERT_XLS_TO_SAP'

    EXPORTING

*     I_FIELD_SEPERATOR    =

*     I_LINE_HEADER        =

      i_tab_raw_data       = it_raw

      i_filename           = p_usr05

    TABLES

      i_tab_converted_data = it_usr

    EXCEPTIONS

      conversion_failed    = 1

      OTHERS               = 2.

  IF sy-subrc <> 0.

* Implement suitable error handling here

    WRITE / 'SOMETHING WRONG HERE'.

  ENDIF.

ENDFORM.    "Upload

FORM bapi_sub .

  SORT it_usr BY BNAME.

  LOOP AT it_usr INTO wa_usr.

    wa_usr05-PARID  = wa_usr-PARID  .

    wa_usr05-PARVA  = wa_USR-PARVA .

    WA_USR02-BAPIBNAME =  wa_usr-BNAME .

    wa_usr05X-PARID  = c_x .

    wa_usr05x-PARVA  =  c_x  .

    APPEND wa_usr05 TO it_usr05.

    APPEND wa_usr05x to it_usr05x.

    CALL FUNCTION 'BAPI_USER_CHANGE'

      EXPORTING

     USERNAME = wa_usr02-BAPIBNAME

*LOGONDATA = WA_USR05X

*LOGONDATAX =

*DEFAULTS   =

*DEFAULTSX   =

*ADDRESS  =

*ADDRESSX  =

   PARAMETERX = WA_USR05X

*COMPANY  =

*COMPANYX  =

*SNC  =

*SNCX  =

*BACK_DISTRIBUTION =

*PASSWORD =

*PASSWORDX =

*ADDCOMX =

*REF_USER =

*REF_USERX =

*ALIAS =

*ALIASX =

*GROUPSX =

*UCLASS =

*UCLASSX =

*EXTIDSX =

TABLES

*PARAMETER = it_usr05

RETURN =    it_bapirtn

*ADDTEL =

*ADDFAX =

*ADDTTX =

*ADDTLX =

*ADDSMTP =

*ADDRML =

*ADDX400 =

*ADDRFC =

*ADDPRT =

*ADDSSF =

*ADDURI =

*ADDPAG =

*ADDCOMREM =

*GROUPS =

PARAMETER1 = it_usr05.

*UCLASSSYS =

*EXTIDHEAD =

*EXTIDPART =

    READ TABLE it_BAPIrtn WITH KEY TYPE = 'E'.

IF SY-SUBRC EQ '0'.

  CONCATENATE it_BAPIrtn-MESSAGE  it_BAPIrtn-ID it_BAPIrtn-NUMBER INTO E_ERROR SEPARATED BY SPACE.

ELSE.

CALL FUNCTION 'BAPI_TRANSACTION_COMMIT'

* EXPORTING

*   WAIT          =

* IMPORTING

*   RETURN        =

      .

ENDIF.

CLEAR: wa_usr05,wa_usr05X, wa_usr.

ENDLOOP.

ENDFORM.                  "BAPI_SUB

Thanks for your time reading through this :smile: - hope it helps :smile:

3 Comments
Labels in this area