USR02 — User Logon Data

One row per client/user combination; holds authentication state, lock flags, and validity dates.

Purpose

USR02 is the primary table for user account status in a SAP system. It stores the password hash, logon validity window, lock flags, and last-logon timestamps. Security audits, user-list reports, and licence-type extracts all start here.

Key fields

Field	Type	Description
MANDT	CLNT(3)	Client — always filter on this
BNAME	CHAR(12)	User ID (logon name)
USTYP	CHAR(1)	User type: A=Dialog B=System C=Communication S=Service L=Reference
GLTGV	DATS(8)	Valid-from date
GLTGB	DATS(8)	Valid-to date (99991231 = no expiry)
TRDAT	DATS(8)	Date of last successful logon
LTIME	TIMS(6)	Time of last successful logon
UFLAG	INT1	Lock flags bitmap: 0=unlocked 64=admin locked 128=too many failed attempts

Common queries

All active dialog users valid today

SELECT bname, ustyp, gltgv, gltgb, trdat
  INTO TABLE @DATA(lt_dialog_users)
  FROM usr02
  WHERE mandt = @sy-mandt
    AND ustyp = 'A'
    AND gltgv <= @sy-datum
    AND gltgb >= @sy-datum.

Users who have not logged in for 90 days (or never)

DATA(lv_cutoff) = sy-datum - 90.

SELECT bname, ustyp, trdat
  INTO TABLE @DATA(lt_inactive)
  FROM usr02
  WHERE mandt  =  @sy-mandt
    AND ustyp  =  'A'
    AND ( trdat <= @lv_cutoff OR trdat = '00000000' ).

Check whether a specific user is locked

SELECT SINGLE bname, uflag
  INTO @DATA(ls_user)
  FROM usr02
  WHERE mandt = @sy-mandt
    AND bname = @lv_username.

IF sy-subrc = 0.
  " Admin lock
  IF ls_user-uflag BIT-AND 64 <> 0.
    WRITE: / ls_user-bname, 'is administrator-locked'.
  ENDIF.
  " Too many failed logon attempts
  IF ls_user-uflag BIT-AND 128 <> 0.
    WRITE: / ls_user-bname, 'is locked due to failed attempts'.
  ENDIF.
  IF ls_user-uflag = 0.
    WRITE: / ls_user-bname, 'is unlocked'.
  ENDIF.
ENDIF.

Joins

Join target	Key fields	Purpose
USR21	BNAME	Resolves the address reference (PERSNUMBER, ADDRNUMBER)
ADR6	PERSNUMBER + ADDRNUMBER (via USR21)	Email address
AGR_USERS	BNAME	Role assignments for the user

" User email addresses via USR21 and ADR6
SELECT u~bname, a~smtp_addr
  INTO TABLE @DATA(lt_emails)
  FROM usr02 AS u
  INNER JOIN usr21 AS u21 ON u21~mandt = u~mandt
                          AND u21~bname = u~bname
  INNER JOIN adr6  AS a   ON a~client      = u21~mandt
                          AND a~persnumber  = u21~persnumber
                          AND a~addrnumber  = u21~addrnumber
  WHERE u~mandt = @sy-mandt
    AND u~ustyp = 'A'.

Pitfalls

UFLAG is a bitmap — never compare with =

A user can be simultaneously admin-locked (64) and password-expired (32). The UFLAG value in that case is 96, not 64. Always use BIT-AND to test individual bits.

GLTGB = '99991231' means no expiry

The date 99991231 is SAP's conventional "forever" sentinel. Treat it as "no upper limit" rather than an actual expiry date.

Always filter MANDT

Omitting WHERE mandt = @sy-mandt returns rows from every client in the system, which both inflates results and causes unnecessary load.

See also

• ../function-modules/bapi-user-get-detail.md — BAPI_USER_GET_DETAIL for reading user data via API
• ../transactions/su01.md — SU01 User Maintenance transaction

Comments