The RSUSR003 event is used in SAP to check the passwords of standard users in all clients.
Potential Use Cases
This event could be used for the following scenarios:
Do determine if the standard users still have their default passwords.
If the standard users have well-known passwords.
To determine if of the standard users is locked.
Splunk Event
The event will look like this in Splunk:
SAP Navigation
Navigate to this data by using the RSUSR003 t-code. THen enter the user selection parameters, and select the Execute button.
The data below will match the data that is sent to Splunk.
Field Mapping
The field mapping between the data from SAP and values in Splunk can be seen in the table below:
Field
Description
Unit of Measure
CURRENT_TIMESTAMP
The date time stamp when the information was collected
YYYYMMDDHHMMSS
EVENT_SUBTYPE
String
EVENT_TYPE
RSUSR003
String
LOCKED
Whether or not the user is locked
String
LOCKREASON
The reason why the user is locked
String
MANDT
Client
String
PWSTATUS
The user’s password status
String
UNSUCESSLOGINS
The number of unsuccessful logins for the user
Number (count)
USERNAME
User Name
String
UTCDIFF
The UTC OFFSSET in HHMMSS that the data was collected in
HHMMSS
UTCSIGN
The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.
+ | -
VALIDFRM
The date the user is valid from
YYYYMMDD
VALIDTO
The date the user is valid until
YYYYMMDD
JavaScript errors detected
Please note, these errors can depend on your browser setup.
If this problem persists, please contact our support.
