Search This Blog

Tuesday, March 15, 2011

SAP Note 963360 - RSUSR200 - Handling users with inactive password

Validity: valid since 11.07.2006


Symptom

You use the User Information System (transaction SUIM) or the RSUSR200 report directly to select users according to the logon date and last password change.
  • For those users for whom the password-based logon is deactivated, incorrect logons that occurred prior to deactivation are used as selection criterion and are incorrectly issued in the results list.
  • If the login/disable_password_login profile parameter is used to deactivate the password-based logon, the password status is not correctly displayed.
  • The influence of the login/failed_user_auto_unlock parameter is ignored during the selection according to users with incorrect logons and/or locked users.

Other terms
USR02, CODVN, TRDAT, UFLAG, LOCNT, RSUSR006
Reason and Prerequisites
This problem is caused by a program error.
Solution
Use the Note Assistant to implement the correction instructions, or import the relevant Support Package.
Explanations of the solution
The text symbols added with the correction are only available in English until you import the relevant Support Package.



Passwords can be deactivated individually (using transaction SU01 or the change password dialog box) or the process can be controlled by the profile parameters login/disable_password_login and login/password_logon_usergroup.

The login/failed_user_auto_unlock parameter influences the effect of the lock due to incorrect logons. If the parameter is set to 1, users can log on to the system again from the day following the lock date. If the parameter is set to 0, the lock is retained indefinitely for this lock reason also.

Behavior of the selection screen:
  • The counters for the incorrect logon attempts and the date of the last password changed are not relevant for users with inactive passwords.
    Therefore, the selection criteria "Days since last password change" and "Selection according to logon attempts" remain ineffective for selections of users with inactive passwords.

Behavior of the results list:
  • The application instance used during the evaluation is generally issued in the list header. The values of the login/disable_password_login and login/failed_user_auto_unlock parameters are also listed. The login/password_logon_usergroup parameter is only issued if it influences the password-based logon behavior.
  • For users with an inactive password, no date is issued for the last password change and the number of incorrect logon attempts.
  • In the case of non-password-based logons, locks caused by incorrect logons are ignored. Users who have the lock reason "Incorrect logon attempt" and an inactive password are therefore regarded as "User not locked" during the selection and in the results list.
  • The login/failed_user_auto_unlock parameter is taken into account during the output. This means only those users that are unable to log on at the time of the evaluation for this reason are issued as being blocked due to an incorrect logon attempt.
  • To ensure the comprehensive evaluation of results, you must also follow the explanations of the solution in Note 883053.

No comments:

Post a Comment