How do we reset / unlock SAP* from Database level?
Why its required ?
Due to various reasons, we end up in a situation where nobody is able to log into SAP system . This may be because of user lock or no user master created (In case of new clients). Or SAP* is locked and you do not have any other user to log in.
Solution : We have to activate standard ABAP user SAP * and then we can use default password “PASS” to log in.
1. Change parameter “login/no_automatic_user_sapstar = 0” in the instance profile of ABAP system.
Please note that if you have Application server in you SAP system , you can choose to change this parameter in one App Server instance profile only, this way you can avoid bounce of whole SAP system.
2. Restart SAP system (Application only,Database bounce is not required).
3.Rename or Delete the user master record of SAP* from SAP table USR02 for the intended client.
In our example we will rename user master record of SAP* user for client 100. (For some reason I prefer renaming user master over completely deleting it, in this way we can easily restore the user master of SAP*).
3.1 Log into SQL prompt by executing command “sqlplus “/as sysdba”;“ (This command is for ORACLE database running on UNIX host).
3.2 Execute SQL command “Select MANDT,bname,uflag from SAPSR3.USR02 where bname = ‘SAP*’;“
here we can see that we have SAP* user master created for 000,001,066 and 100 client . Now we will rename SAP* user to SAP*Copy .
3.3 Execute following command to rename the user master.
SQL > update sapsr3.usr02 set bname = ‘SAP*Copy’ where mandt = 100 and bname = ‘SAP*’;
SQL > commit;
Congratulations , your SAP* user is activated now .
4. Once you are able to log into SAP , unlock/create your own ID and disable SAP* again(Follow step 4.1,4.2 and 4.3 to deactivate SAP*).
4.1 Set the parameter “login/no_automatic_user_sapstar = 1” in the instance profile.
4.2 Execute following SQL commands to creat SAP* user master from the user copy we created as per step 3.3.
SQL> update sapsr3.usr02 set bname = ‘SAP*Copy’ where mandt = 100 and bname = ‘SAP*’;
4.3 Restart SAP instance to get parameter change in effect. SAP* will get deactivated after restart.
Important points about SAP* user:
SAP* is a “hard-coded” user that does not have a user master record in the delivery system, is not subject to any authorization checks (and therefore has all authorizations), and has an unchangeable password. (Password is “PASS”)
SAP* is not treated like a “normal” user until a user master record is created for it. As long as the user master record exists, SAP* is subject to authorization checks and can be assigned a different password.
Profile parameter login/no_automatic_user_sap* does not work in the default profile because the SAP kernel does not allow this.