Is there a way in SAP to unlock a locked user for a limited time, then automatically after x time set the user back to lock status?
You can fill in "valid from" and "valid until", but you cannot say from Monday to Friday from 8 - 12:00 for part time workers.
Can we schedule to lock all users?
If users get locked, from SU01 you can unlock them.
Use SU10 to mass lock/unlock the users.
Use address data or authorisation data to get a list of users - select the ones you want and
click transfer.
Once this is done click on lock or unlock.
You can also use transaction code EWZ5 to mass lock/unlock the users
or
Execute program EWULKUSR in SE38
or
Set a profile parameter (login/failed_user_auto_unlock) to unlock at midnight the locked users.
or
Here's an ABAP code, short and simple, isn't it?
REPORT zreusrlock.
DATA: time_limit TYPE sy-datum.
DATA: days TYPE i VALUE 40.
time_limit = sy-datum - days.
UPDATE usr02 SET uflag = 64 WHERE trdat < time_limit.
If you don't want to specify the time in the program, you can use SE38 to schedule it as a daily background job with the date and time.
or
Probably the easiest way would be to write a sqlplus SQL script that sets all the UFLAG fields in table USR02 to 64 EXCEPT for the BNAMEs you don't want locked. When you are done, you can do the same again but change the UFLAG field to 0.
The SQL statement would look like:
update SAPR3.USR02 set UFLAG = 64 where MANDT = <client
number> and BNAME != <don't lock user 1>
AND BNAME != <don't lock user 2>;
You can replace != with <> if you want. To run this from an OS command line, you would type:
Unix/Oracle 8---> sqlplus internal @<SQLpath+SQLname>
NT/Oracle 8.0---> plus80 internal @<SQLpath+SQLname>
NT/Oracle 8.1---> sqlplus internal @s<SQLpath+SQLname>
Unix/Oracle 9:--> sqlplus /nolog @<SQLpath+SQLname>
NT/Oracle 9-----> sqlplus /nolog @<SQLpath+SQLname>
In UNIX you can cron the script to schedule it. In NT you can schedule it as a task.
or
This is another method to UNLOCK ALL users.
Start Oracle Server manager (I assume you are on Oracle)
connect internal
update sapr3.usr02 set uflag='0' where mandt='399';
When users are locked, the uflag is set to 64.
Finish, just query to check.
select bname, uflag from sapr3.usr02 where mandt='399';
Please note that unlocking users from low level (like Oracle sqlplus) should be used as last resort. Frequent use of low level access may tempt you to use on other things. Highly dangerous and your IS auditors will not be too happy.
Is there a way to set a list of users that cannot be locked, even if we try to lock them manually, and even if they fail connection ( wrong password )?
Increase this parameter in SAP Instance profile:
login/fails_to_user_lock = 6 (max is 99 wrong attempts, i.e, value 99). Currently you have a value of 3.
login/failed_user_auto_unlock (for your midnight unlocking).
Ask users to remember passwords!! If someone is deliberately login-in with different username/password (thereby blocking legitimate access of that user), check hostname from SM21.
This is considered as DoS (Denial of Service).
