[SAP Basis] User Authorization SAP 用户被锁 屏蔽 unlock 非常有用的

Different methods to Lock or unlock SAP users [My fav]

I want to lock all the users in SAP during MTP.  I know using SU10 we can do it. Any other alternative ways to lock the users.

Is there a way in SAP to unlock a locked user for a limited time, then automatically after x time set the user back to lock status? 

You can fill in "valid from" and "valid until", but you cannot say from Monday to Friday from 8 - 12:00 for part time workers. 

Can we schedule to lock all users?

If users get locked, from SU01 you can unlock them. 

Use SU10 to mass lock/unlock the users.

Use address data or authorisation data to get a list of users - select the ones you want and 

click transfer. 

Once this is done click on lock or unlock. 

You can also use transaction code EWZ5 to mass lock/unlock the users

or 

Execute program EWULKUSR in SE38

or 

Set a profile parameter (login/failed_user_auto_unlock) to unlock at midnight the locked users. 

or 

以下这段代码会把所有用户上锁， 小心使用

Here's an ABAP code, short and simple, isn't it? 

REPORT zreusrlock. 

DATA: time_limit TYPE sy-datum. 
DATA: days TYPE i VALUE 40. 

time_limit = sy-datum - days. 
UPDATE usr02 SET uflag = 64 WHERE trdat < time_limit.

If you don't want to specify the time in the program, you can use SE38 to schedule it as a daily background job with the date and time.

or

Probably the easiest way would be to write a sqlplus SQL script that sets all the UFLAG fields in table USR02 to 64 EXCEPT for the BNAMEs you don't want locked. When you are done, you can do the same again but change the UFLAG field to 0. 

The SQL statement would look like: 

update SAPR3.USR02 set UFLAG = 64 where MANDT = <client number> and BNAME != <don't lock user 1> 
AND BNAME != <don't lock user 2>; 

You can replace != with <> if you want. To run this from an OS command line, you would type: 

Unix/Oracle 8---> sqlplus internal @<SQLpath+SQLname> 
NT/Oracle 8.0---> plus80 internal @<SQLpath+SQLname> 
NT/Oracle 8.1---> sqlplus internal @s<SQLpath+SQLname> 
Unix/Oracle 9:--> sqlplus /nolog @<SQLpath+SQLname> 
NT/Oracle 9-----> sqlplus /nolog @<SQLpath+SQLname> 

In UNIX you can cron the script to schedule it. In NT you can schedule it as a task.

or

This is another method to UNLOCK ALL users. 

以下是数据库直接操作的方法进行的设置。对指定用户解锁

sapr3代表数据库实例instance名称，大小写敏感，切记。 mandt代表Client, 你也可以针对bname unlock指定用户

Start Oracle Server manager (I assume you are on Oracle) 
connect internal 
update sapr3.usr02 set uflag='0' where mandt='399'; 

When users are locked, the uflag is set to 64. 

Finish, just query to check. 

select bname, uflag from sapr3.usr02 where mandt='399'; 

Please note that unlocking users from low level (like Oracle sqlplus) should be used as last resort. Frequent use of low level access may tempt you to use on other things. Highly dangerous and your IS auditors will not be too happy. 

Is there a way to set a list of users that cannot be locked, even if we try to lock them manually, and even if they fail connection ( wrong password )?

Increase this parameter in SAP Instance profile: 

login/fails_to_user_lock = 6 (max is 99 wrong attempts, i.e, value 99). Currently you have a value of 3. 

login/failed_user_auto_unlock (for your midnight unlocking). 

Ask users to remember passwords!! If someone is deliberately login-in with different username/password (thereby blocking legitimate access of that user), check hostname from SM21. 

This is considered as DoS (Denial of Service).