User Parameter Mass Update
User Parameter update in SU01 is not possible via usual automation scripting tools that we have – SECATT and LSMW, as far as my experience with testing those solutions for user parameter update goes it came to the point that there was no field that BDC code will recognize for user parameter such as we have straightforward fields for other SU01 tabs as roles, address or logon data tab. Hence the solution involving SECATT or LSMW would not work as the user parameters because we need to input parameter id and value as a variables but they dont not have a corresponding place holder field that we can utilize for this activity. For this reason its a big issue for security administrators if they ever need to mass update user parameter for large group of users in the system. For example there can be a scenario where you are setting up users for regression testing and copying their production access to regression testing box – you set their roles/user address/user group etc. information properly but now also need to set their user parameters and defaults tab value as it is in production. Defaults tab can be worked out via LSMW or SECATT but the real issue will be user parameters. I see some threads on SCN suggesting that we record SU10 in BDC mode of LSMW/SECATT and try to input one parameter variable and value at a time. As mentioned earlier this did not work for me but it may work for the SECATT/LSMW experts out there.
I used an alternate approach of using BAPI to achieve the same purpose – now this is not at all new thing or likewise but from a typical security admin point of view – its hard to know ABAP (though you should) and hard to catch hold of an ABAPer who has the time to focus on security 🙂 [though its wonderful if security and ABAP combination can be at work – either the ABAPer taking interest in security, or security admin taking interest in ABAP or ABAPer and Security person taking interest in a common problem – good enough amount of Permutations and Combinations !!]
Below is a sample code for updating user parameters, This is just one of the way to achieve this task and code is from a beginner’s level, scrappy, not at all polished or neat and though you will find lot of code discussion on user parameter that go on in ABAP forums on this topic – I dont know if there is a forum that discusses the user parameter changes from end to end perspective in security space so that security consultant can believe they have something they can implement, in short this works (at least for me in my sandbox system and should work for you as well till SAP changes ABAP syntax/some other premise/assumptions)
I have used following functional modules:
(a) ‘TEXT_CONVERT_XLS_TO_SAP -> this converts the input excel file containing 3 columns – User id, Parameter id and Parameter Value into SAP data of a table with 3 columns
(b) BAPI – BAPI_USER_CHANGE’ – this BAPI takes care of all user change functions and you can read the code and check se37 and se11 on this BAPI and the tables and structures it supports. This is it for solving a lot of issues related to security automation and thought i havent used it a lot – a logical extension of this would be to use it for a such a wide variety of features like default tabs, passwords etc. though these functions can be managed via LSMW/SECATT.
Premise obviously is that as we are using User change BAPI – user does exist in system and only thing we need to focus upon is user parameter updation.
My suggestion would be to break the program into small pieces of code and write and practice it for yourself and debug it to understand how it works.
Wish you a Happy updating of user parameters 🙂
*&———————————————————————*
*& Report ZUSR05_YAT3
*&
*&———————————————————————*
*&
*&
*&———————————————————————*
REPORT ZUSR05_YAT3.
TABLES: usr05.
type-pools TRUXS.
types: BEGIN OF ty_usr,
bname TYPE usr05-bname,
parid TYPE usr05-parid,
parva TYPE usr05-parva,
END OF ty_usr.
DATA: it_usr TYPE STANDARD TABLE OF ty_usr,
wa_usr TYPE ty_usr,
wa_usr02 TYPE BAPIBNAME,
wa_usr05 TYPE BAPIPARAM,
wa_usr05x TYPE BAPIPARAMX,
it_usr05 TYPE STANDARD TABLE OF BAPIPARAM1,
it_usr05x TYPE STANDARD TABLE OF BAPIPARAM1,
it_bapirtn LIKE bapiret2 occurs 0 with HEADER LINE,
wa_bapirtn TYPE bapiret2,
E_ERROR TYPE STRING.
DATA : it_raw TYPE truxs_t_text_data,
lv_tabix TYPE i.
CONSTANTS: c_x TYPE c VALUE ‘X’.
PARAMETER: p_usr05 TYPE rlgrap-filename.
AT SELECTION-SCREEN ON VALUE-REQUEST FOR p_usr05.
CALL FUNCTION ‘F4_FILENAME’
EXPORTING
* PROGRAM_NAME = ‘Z’
* DYNPRO_NUMBER = ‘1000’
field_name = ‘P_HD’
IMPORTING
file_name = p_usr05.
START-OF-SELECTION.
PERFORM upload.
PERFORM bapi_sub.
FORM upload .
CALL FUNCTION ‘TEXT_CONVERT_XLS_TO_SAP’
EXPORTING
* I_FIELD_SEPERATOR =
* I_LINE_HEADER =
i_tab_raw_data = it_raw
i_filename = p_usr05
TABLES
i_tab_converted_data = it_usr
EXCEPTIONS
conversion_failed = 1
OTHERS = 2.
IF sy-subrc <> 0.
* Implement suitable error handling here
WRITE / ‘SOMETHING WRONG HERE’.
ENDIF.
ENDFORM. “Upload
FORM bapi_sub .
SORT it_usr BY BNAME.
LOOP AT it_usr INTO wa_usr.
wa_usr05-PARID = wa_usr-PARID .
wa_usr05-PARVA = wa_USR-PARVA .
WA_USR02-BAPIBNAME = wa_usr-BNAME .
wa_usr05X-PARID = c_x .
wa_usr05x-PARVA = c_x .
APPEND wa_usr05 TO it_usr05.
APPEND wa_usr05x to it_usr05x.
CALL FUNCTION ‘BAPI_USER_CHANGE’
EXPORTING
USERNAME = wa_usr02-BAPIBNAME
*LOGONDATA = WA_USR05X
*LOGONDATAX =
*DEFAULTS =
*DEFAULTSX =
*ADDRESS =
*ADDRESSX =
PARAMETERX = WA_USR05X
*COMPANY =
*COMPANYX =
*SNC =
*SNCX =
*BACK_DISTRIBUTION =
*PASSWORD =
*PASSWORDX =
*ADDCOMX =
*REF_USER =
*REF_USERX =
*ALIAS =
*ALIASX =
*GROUPSX =
*UCLASS =
*UCLASSX =
*EXTIDSX =
TABLES
*PARAMETER = it_usr05
RETURN = it_bapirtn
*ADDTEL =
*ADDFAX =
*ADDTTX =
*ADDTLX =
*ADDSMTP =
*ADDRML =
*ADDX400 =
*ADDRFC =
*ADDPRT =
*ADDSSF =
*ADDURI =
*ADDPAG =
*ADDCOMREM =
*GROUPS =
PARAMETER1 = it_usr05.
*UCLASSSYS =
*EXTIDHEAD =
*EXTIDPART =
READ TABLE it_BAPIrtn WITH KEY TYPE = ‘E’.
IF SY-SUBRC EQ ‘0’.
CONCATENATE it_BAPIrtn-MESSAGE it_BAPIrtn-ID it_BAPIrtn-NUMBER INTO E_ERROR SEPARATED BY SPACE.
ELSE.
CALL FUNCTION ‘BAPI_TRANSACTION_COMMIT’
* EXPORTING
* WAIT =
* IMPORTING
* RETURN =
.
ENDIF.
CLEAR: wa_usr05,wa_usr05X, wa_usr.
ENDLOOP.
ENDFORM. “BAPI_SUB
Thanks for your time reading through this 🙂 – hope it helps 🙂
It is actually quite easy, isn't it.. 🙂
First small comments though: for the user BAPIs you do not need to commit work afterwards. The commit is in the BAPI. So you should give the message back to the user whether the work was committed or not. Also the BAPI makes authority-checks, so the user must be told about missing authority - actually it would be useful for a simple report to check the authority before you call the BAPI.
Cheers,
Julius
Thanks Julius for your review and response - to be honest - it wasnt easy for me as a security admin who did not have knowledge of ABAP to start with to deliver user parameter settings of 600+ users in another system based on user parameter setting saved for these users in production. SU10 could have been an option but you cannot reach to satisfactory level of coverage as over time production data for user parameter tends to be come more unique for each user. To my dismay found that SECATT and LSMW for some reason dont support this tab (user parameter)- till then in my ignorant world I was confident to handle SU01 via SECATT day in day out. Hence - I tried to search a lot of forums and start from somewhere or scratch as I did not have privilege of an ABAP consultant by my side on this, what I did review here and there were useful pointers on the whole process from how to upload data from excel to, note about BAPI User Change for these kind of scenarios in general, scattered in tit bits across various Forums:)
So I thought of consolidating it in one place information related to my scenario where we pick data from excel and update user parameters- though I hope this document doesn't serve to spoon feed people (who are searching for a similar solution on this issue and they take time to understand the scenario and it helps them hopefully on this scenario and they try to utilize more benefits of BAPIs. I have made enough of a heavy meat explaining this ..all the time reiterating same stuff ..just for convincing myself that I have made a good argument on posting this 🙂
yep now that I know how to use BAPI - I find it exciting and ofcourse for those well to do folks who know ABAP it must be very easy 🙂
Thanks for security part of it - I am security consultant but forgot the best part here 🙂 - to add authority checks - thanks for it !
Hi. Very nice example on code. Saved me some time. I did not have the same TRUXS functions in my system, so I updated it a bit. Have added the code below, for the ones that are interested. (I am NOT an ABAP'er, so it is probably full of beginners errors. But it works, and it is only to be run once anyway).
*&---------------------------------------------------------------------*
*& Report ZBC_UPDATE_USER_PARAMETERS
*&---------------------------------------------------------------------*
REPORT ZBC_UPDATE_USER_PARAMETERS.
TABLES: usr05.
types: BEGIN OF ty_usr,
bname TYPE usr05-bname,
parid TYPE usr05-parid,
parva TYPE usr05-parva,
END OF ty_usr.
DATA: it_usr TYPE STANDARD TABLE OF ty_usr,
wa_usr TYPE ty_usr,
wa_usr02 TYPE BAPIBNAME,
wa_usr05 TYPE BAPIPARAM,
wa_usr05x TYPE BAPIPARAMX,
it_usr05 TYPE STANDARD TABLE OF BAPIPARAM1,
it_usr05x TYPE STANDARD TABLE OF BAPIPARAM1,
it_bapirtn LIKE bapiret2 occurs 0 with HEADER LINE,
name type usr05-bname.
PARAMETER: p_usr05 TYPE rlgrap-filename.
AT SELECTION-SCREEN ON VALUE-REQUEST FOR p_usr05.
CALL FUNCTION 'KD_GET_FILENAME_ON_F4'
EXPORTING
FIELD_NAME = 'P_HD'
CHANGING
FILE_NAME = p_usr05.
START-OF-SELECTION.
PERFORM upload.
PERFORM update.
FORM upload .
CALL FUNCTION 'UPLOAD_XLS_FILE_2_ITAB'
EXPORTING
I_FILENAME = p_usr05
TABLES
E_ITAB = it_usr.
ENDFORM. "Upload
FORM update.
SORT it_usr BY BNAME.
name = 'AAROS'.
LOOP AT it_usr INTO wa_usr.
IF wa_usr-BNAME NE name.
CALL FUNCTION 'BAPI_USER_CHANGE'
EXPORTING
* USERNAME = wa_usr02-BAPIBNAME
USERNAME = name
PARAMETERX = 'X X'
TABLES
RETURN = it_bapirtn
PARAMETER1 = it_usr05.
clear: it_usr05.
loop at it_bapirtn.
write: / name, it_BAPIrtn-MESSAGE, it_BAPIrtn-ID, it_BAPIrtn-NUMBER.
endloop.
write: / '--------------------------------------------------'.
ENDIF.
wa_usr05-PARID = wa_usr-PARID.
wa_usr05-PARVA = wa_USR-PARVA.
WA_USR02-BAPIBNAME = wa_usr-BNAME.
APPEND wa_usr05 TO it_usr05.
APPEND wa_usr05x to it_usr05x.
name = wa_usr02-BAPIBNAME.
CLEAR: wa_usr05,wa_usr05X, wa_usr.
ENDLOOP.
ENDFORM. "BAPI_SUB