Bruteforce User Maintenance

By Gaurab Banerji, Capgemini India

Made for User Administration help for BASIS people. 

Firstly I have created a program ZGB_PROG01 with the following attributes 

The code for this program is available here. 

The following Selection Texts are used. 

We create a transaction named ZBASIS for a Report using SE93 

Using ZBASIS 

The program can make changes irrespective of the client.

Changes are done directly into databases so it is preferable that the transaction uses some authorization profile. I would recommend using Authority check within the program also if possible. 

To use simply type in the transaction ZBASIS. 

Select the client number from the drop down list and then select the user name. 

Press Enter or press the TICK arrow or simply click a tab. Data gets fetched. 

User Data 

I have only brought some details from the USR02 table since I don’t require further information. If you need you can make further changes and bring more data to screen in the User data tab. 

Lock Status 

The user status tab shows whether the user is currently locked for logging into sap.

You can press the unlock button to allow the user to log into sap. 

Dev Key 

Developer Keys are assigned to users for development access thereby letting users create Y and Z programs. In this tab we can view the installation number and the developer key.

SAP developer keys are generated by sap depending on the installation number and the user id. Basis people should be able to remove illegal/incorrect developer key using this transaction. Here we also have an option to add developer keys but I have not implemented any kind of checking whether the key is correct. I assume that the basis guys are right. 

Password History

Password history can be quite annoying for users when trying to change the passwords. SAP stores the last 5 passwords used in history. The clear password history helps you use your favorite password again and again.  

Password Hash 

In this tab you will find a unique feature. Suppose you are the administrator ADMIN user and you have access to all clients with a standard password say SUPER. It happens that someone doesn’t want anyone to use the user ADMIN in client 800 and changes the default password to something else, which we are unaware of. Here this utility comes handy. SAP stores passwords as password HASHES in table USR02 (and USH02 also but we don’t require it) as a field BCODE. Decoding the passwords is not possible and even if it can be done SAP always makes changes so as to ensure it is not decoded.

The passwords hashes are primarily dependent on User ID and password which in this case is ADMIN and SUPER. However the Hashes are independent of Client number and as such copying the password hash from a user in a client to another (same user id ) would be identical to copying the password. 

This utility does the same. If ADMIN password is changed in Client 800 then what we can do is copy the Password Hash from say Client 620 ( same user ADMIN with known password say SUPER ) to reset the password of client 800. This can be done without logging into the Client 800 at all. It might happen that we find ADMIN is locked. We can unlock ADMIN of Client 800 or any user of any client as described above. 

Validity Reset

Many users are unable to login to the system because a validity date check is applied to the user. This Reset helps totally remove the validity dates rather than change them enabling users to have system access as long as it exists. 

Note: 

This program has been created for educational purposes only. The primary target spectators of this program would be the guys who are new in SAP-BASIS. The code in the program is simple but the data handled is crucial. I won’t recommend misusing this program. Other than the primary functionality of this program, which is basis administration, it demonstrates the use of tab strips and sub screens in reports (No SE51), search helps, drop down lists etc. which makes the program unique in its own way. I hope you will like it.