Skip to content

BAPI_USER_UNLOCK

Remove the administrator lock from a SAP user account.

Purpose

Clears the administrator lock flag set by BAPI_USER_LOCK (or manually in SU01), allowing the user to log on again. This is the programmatic equivalent of ticking "Unlock" in SU01 and saving.

Signature (the parts you'll actually use)

Parameter Direction Type Notes
USERNAME IMPORTING XUBNAME The user ID to unlock. Required.
RETURN TABLES BAPIRET2 Messages — always check this

Example

DATA: lv_user   TYPE xubname VALUE 'RETURNEE01',
      lt_return TYPE STANDARD TABLE OF bapiret2.

CALL FUNCTION 'BAPI_USER_UNLOCK'
  EXPORTING
    username = lv_user
  TABLES
    return   = lt_return.

IF NOT line_exists( lt_return[ type = 'E' ] ) AND
   NOT line_exists( lt_return[ type = 'A' ] ).
  CALL FUNCTION 'BAPI_TRANSACTION_COMMIT'
    EXPORTING wait = 'X'.
ELSE.
  CALL FUNCTION 'BAPI_TRANSACTION_ROLLBACK'.
  LOOP AT lt_return INTO DATA(ls_msg) WHERE type CA 'EAX'.
    WRITE: / ls_msg-message.
  ENDLOOP.
ENDIF.

Common pitfalls

COMMIT WORK is mandatory

The unlock is not applied until you call BAPI_TRANSACTION_COMMIT (or COMMIT WORK). Without it the user stays locked — silently.

Administrator lock only

This BAPI removes only the administrator lock. It cannot remove:

  • A wrong-password lock (ISLOCKED-WRNG_LOGON = 'L') — requires a password reset or SU01 action.
  • A security-policy lock — governed by a password policy; reset via SU01 or the applicable security policy configuration.

Check ISLOCKED (from BAPI_USER_GET_DETAIL) before calling to understand which lock type is active.

  • Authorisation required: S_USER_GRP with activity 05 (lock/unlock) for the target user's group.
  • Unlocking an already-unlocked user returns a warning (W) in RETURN, not an error.
  • Always check the RETURN table — never assume success.

See also

  • Transactions: SU01 (lock tab), SUIM (users by lock status)
  • Structure: BAPIUSLOCK — fields WRNG_LOGON, LOCAL_LOCK, GLOB_LOCK

Comments