BAPI_USER_LOCK¶
Lock a SAP user account so they cannot log on.
Purpose¶
Sets the administrator lock flag on a user master record, preventing the user from logging on to any SAP system in the landscape. Does not delete the record, expire the password, or remove any roles. The lock can be reversed at any time with BAPI_USER_UNLOCK.
Signature (the parts you'll actually use)¶
| Parameter | Direction | Type | Notes |
|---|---|---|---|
USERNAME |
IMPORTING | XUBNAME |
The user ID to lock. Required. |
RETURN |
TABLES | BAPIRET2 |
Messages — always check this |
Example¶
DATA: lv_user TYPE xubname VALUE 'LEAVER01',
lt_return TYPE STANDARD TABLE OF bapiret2.
CALL FUNCTION 'BAPI_USER_LOCK'
EXPORTING
username = lv_user
TABLES
return = lt_return.
IF NOT line_exists( lt_return[ type = 'E' ] ) AND
NOT line_exists( lt_return[ type = 'A' ] ).
CALL FUNCTION 'BAPI_TRANSACTION_COMMIT'
EXPORTING wait = 'X'.
ELSE.
CALL FUNCTION 'BAPI_TRANSACTION_ROLLBACK'.
LOOP AT lt_return INTO DATA(ls_msg) WHERE type CA 'EAX'.
WRITE: / ls_msg-message.
ENDLOOP.
ENDIF.
Common pitfalls¶
COMMIT WORK is mandatory
The lock is not applied until you call BAPI_TRANSACTION_COMMIT (or COMMIT WORK). A missing commit means the user remains able to log on — no error is surfaced.
Locking an already-locked user
If the user is already administrator-locked, the BAPI returns a warning (type W) in RETURN, not an error. The call does not fail. If your code only checks for E/A messages, you will commit and move on — which is usually the right behaviour, but be aware of it.
- Administrator lock only. This sets only the admin lock bit. It does not affect a security-policy lock or a wrong-password lock. Use
BAPI_USER_GET_DETAILand inspectISLOCKED(typeBAPIUSLOCK) to distinguish lock types. - Authorisation required:
S_USER_GRPwith activity05(lock/unlock) for the target user's group. - Always check the RETURN table — never assume success.
Related¶
BAPI_USER_UNLOCK— reverse the administrator lockBAPI_USER_GET_DETAIL— read lock status viaISLOCKEDBAPI_USER_GETLIST— find users to lock in bulkBAPI_USER_CHANGE— modify other user attributes
See also¶
- Transactions: SU01 (lock tab), SUIM (users by lock status)
- Structure:
BAPIUSLOCK— fieldsWRNG_LOGON,LOCAL_LOCK,GLOB_LOCK