SAP User Unlock and Password Reset Automation

Unlocking users due to constant incorrect login attempts and password resets can consume time and resources for customers and their help desk/security teams, while having to validate and verify user identities manually. Furthermore, the loss of productivity while waiting for password resets can stop critical business processes.

IT-Conductor can automate this service desk function, enabling self-service password resets and user unlocking based on the customer's security policy. Depending on the customer's requirements, the reset password can be sent directly to the end user, a designated distribution list, or a specified group as needed.

The identification of locked SAP users is based on monitoring CCMS Alerts. The override targets specific CCMS alerts and uses alert user details for further processing. The overrides can have different recovery actions depending on the customer’s scenario.

This is triggered as an auto-recovery action by a CCMS alert (User Locked due to consecutive failed login attempts), which dynamically generates a unique password for the user, unlocks the user, retrieves the user's email and full name, and sends an email to the user with the new temporary password.

The SAP user details are first pulled from SAP. Based on the role type and user status, the password is reset with a randomly generated character string, then the user is unlocked. The notification with the new password can be sent to a specified email address, such as the end-user or an SAP Admin, etc.

Several scenarios are supported, such as creating a filter to identify users for whom this should apply, setting up multiple monitors based on UserID groups, and defining separate thresholds for various user requirements. This includes the ability to identify a particular lock type that differentiates between when a user was locked by the System Admin, incorrect password entry, and enforcement of the validity period.

Pre-requisite Requirements

  1. Add system to IT-Conductor for monitoring and automation.

  2. Create SAP user with Admin rights.

  3. Add an e-mail address in the master record for all users.

  4. Create a Robot User in IT-Conductor for automation purposes.

  5. Create a system account in IT-Conductor and associate the SAP Admin user with the Robot User. Review the Monitoring Setup Guide to create a monitoring account for your type of system.

  6. Configure CCMS security thresholds and overrides according to customer requirements.

  7. Create Process definition(s) based on the customer’s workflow process.

  8. Configure recovery action using the defined override and process definition.

Automation in Action

After several failed attempts to log into SAP, a user eventually gets locked.

After a few minutes, a CCMS alert will be generated in IT-Conductor, and the user will get notified that they have been locked out due to a failed login attempt.

Once the locked user is detected, the IT-Conductor Process definition is triggered as a recovery activity to reset the user’s password and notify them of their new temporary password.

Figure 5 is an example of a triggered Process Definition for the User Password Reset Automation scenario.

Figure 6 is an example of an e-mail notifying users of their new temporary password.

SAP Automated User Unlock Dashboard

A customized dashboard can be deployed to provide an overview of the unlocked users per system within a particular time interval. It also includes some administrative tools, such as the restart activity button and the activity log, which shows whether the activity was successful or not. Last but not least, these password reset activities can be a source for security audit reports generated by IT-Conductor for compliance and audit purposes.

Last updated