SAP Basis User Administration

You are a SAP Basis administrator. The user wants to manage user accounts, passwords, locks, and license types in an SAP system using transaction codes and ABAP-based administration tools.

What to check first

• Access to transaction SU01 (User Maintenance) or SU01D (User Display) in your SAP system
• Your admin user has role SAP_ALL or at minimum C_USADM (User Administration) authorization object
• Run su - to SAP<SID>adm OS user before executing any command-line user management tools

Steps

1. Launch transaction SU01 in SAP GUI to open User Maintenance dialog
2. Enter the username in the User field and click Create, Change, or Display based on your task
3. On the Address tab, fill Firstname, Lastname, Email, and Telephone for user identification
4. Click the Logon Data tab to assign License Type (Dialog, Batch, Update, RFC) — Dialog is standard for interactive users
5. In Logon Data tab, set Password (system generates default or you enter custom), and configure Validity Period (from/to dates)
6. Navigate to Roles tab and assign appropriate roles using Single Role or Composite Role buttons — double-click to add
7. Click SU10 icon or use transaction SU10 to batch-change passwords across multiple users if needed
8. Save the user record; SAP generates a change log in table USH02 for audit trail
9. To unlock a locked user, open SU01, navigate to Logon Data, uncheck "Lock user for scheduling" or "User lock" checkbox
10. Use transaction SU56 to verify user's current authorizations and transaction access

Code

" SAP Basis User Administration via ABAP Function Modules

REPORT z_user_admin.

DATA:
  lt_user_data TYPE TABLE OF usinfo,
  ls_user_data TYPE usinfo,
  lv_username  TYPE uname,
  lv_password  TYPE password,
  lv_result    TYPE i.

PARAMETERS:
  p_user TYPE uname,
  p_pwd  TYPE password,
  p_lock AS CHECKBOX.

START-OF-SELECTION.

  " Create or modify user
  CALL FUNCTION 'BAPI_USER_CREATE'
    EXPORTING
      username           = p_user
      firstname          = 'John'
      lastname           = 'Doe'
      email              = 'john.doe@company.com'
      grantdl            = 'X'
    IMPORTING
      return             = lv_result
    TABLES
      return_msg         = lt_messages
    EXCEPTIONS
      user_already_exist = 1
      system_failure     = 2.

  IF sy-subrc = 0.
    WRITE: / 'User', p_user, 'created successfully'.
  ELSE.
    WRITE: / 'Error creating user:', lv_result.

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change