Mass lock of SAP Users

During any maintenance it is always a discussion about how to track the already locked users.

Most easiest way is SU10. But with this it is difficult to keep track of already locked users.

For ECC systems (Also for S/4HANA), you can do this by using transaction EWZ5.

Note that this is not available for other SAP Applications.

Advantage with this method is that the application sets a flag for already locked users.

EWZ5 1

You can now select the users who should not be locked (Euro Administrator) and save the transaction.

Click on lock user and all the users are now locked.

EWZ5 4

Notice the Locked flag is still set for users that were already locked.

EWZ5 7

If you do not select a euro administrator before locking the users, you will get the below warning message.

EWZ5 11


GDPR for SAP – Are you ready?

Everyone keeping track of GDPR Clock should be already gearing up for compliance. Because the consequences of non-compliance could be damaging.

Under the new law, Personal data of your customers can only be gathered legally under strict conditions. Processing/handling/archiving/deleting this data should also be handled under strict rules.

We are part of Brexit! We do not have offices in EU countries! I do not know if this applies to us! By when should we be compliant!

You can find the answers to these questions at FAQ’s and Timelines.

It applies to everyone who is processing/using any data for customers from EU.

So even if you do not have a office in EU but do business with EU customers, you are in purview of GDPR.

When it comes to SAP, you should be thinking of but not limited to following aspects of Data.

  1. Any personal data of your customers should be secured. This includes from their official title (CEO/CFO/Director etc..) to their postal code. Make informed decisions.
  2. Be prepared to secure the data in you system already. Prevent unauthorized access to this information. Many might think this only applies to production systems, which is incorrect. Personal data in your Pre-Prod, Test, Development etc.. all are considered sensitive.
  3. Data should be archived/deleted unless it is absolutely required. Archived data should be safeguarded from unauthorized access.

This of course is a complicated and time taking process. But the great thing is there are already multiple tools readily available in the market which can completely automate this process.

Since we are talking about SAP, I would like to bring some of these tools to your notice which can help you make your SAP systems compliant.

  1. Lets start with Basics and the most crucial aspect. Check your authorization matrix. Ensure that only people who need access to personal data has access. Use tools like SAP GRC to  control authorizations, manage/mitigate/document risks.
  2. Protect the data in your non-production systems. Strict authorization controls on your non-production SAP system. Use tools that scramble test data in non-production systems. Some examples include, SAP TDMS and DATA Secure by EPI-USE. Another interesting tool could be SAP Field Masking Solution.
  3. Handle the data in your production system wisely. Archive or delete your data that is not necessary. Use tools like SAP ILM to manage the life cycle of your data.

Above are just some actions for compliance. There is much more to this than just using the tools like, appointing a Data Protection Officer (DPO), Legal advise etc..

Please share your experience regarding GDPR under comments.

Unlock users from database – What am I missing?

We often use Database to unlock users from table USR02. It is arguably an easy task but we often get struck with a missing comma, wrong user etc…

Below, I am trying to put this magic statement for all the Databases in a table to make life easy.

I have used example user “SAPUSER” and client “000”. Do not forget to replace these and the relevant schema with your requirement.

Logged on users are also examples and you should be able to user any user with similar authorizations.

Database Logged in User Unlock Statement Check/Select statement
Oracle SYS/SYSTEM update SAPSR3.USR02 set UFLAG=0 where BNAME=’SAPUSER’ and MANDT=000; select UFLAG from SAPSR3.USR02 where BNAME=’SAPUSER’ and MANDT=000;
DB2/DB6 db2<sid> [OS Authentication] update SAP<SID>.USR02 set UFLAG=0 where BNAME=’SAPUSER’ and MANDT=000 select UFLAG from SAP<SID>.USR02 where BNAME=’SAPUSER’ and MANDT=000
SAP HANA sap<sid> Update sap<sid>.USR02 set UFLAG=’0’ WHERE BNAME=’SAPUSER’ AND MANDT=’000’ select UFLAG from SAP<SID>.USR02 where BNAME=’SAPUSER’ and MANDT=000
MaxDB sap<sid> UPDATE usr02 SET UFLAG=0 where MANDT=000 and BNAME=’SAPUSER’ select UFLAG from usr02 where MANDT=000 and BNAME=’SAPUSER’
MS SQL <sid>adm /sa [OS Authentication] update <SID>.USR02 set UFLAG=0 where BNAME=’SAPUSER’ and MANDT=’000′; select UFLAG from <SID>.USR02 where MANDT=000 and BNAME=’SAPUSER’
SAP/Sybase ASE sa update USR02 set UFLAG=0 where BNAME=’SAPUSER’ and MANDT=’000′ select UFLAG from USR02 where BNAME =’SAPUSER’ and MANDT=’000′