HomeAboutBlog ContactSAPHTML SQLPython
🔐 SAP Security · User Administration · 2026 Guide

SAP SU01 Password Reset And User Lock/Unlock: Complete Step-by-Step Guide

2026 Guide Pramod Behera 13 min read SU01 · SAP Security · User Administration

🔐 SAP SU01 - What It Does and Why Every Administrator Needs It

Today we are going to explain SAP transaction SU01 - the User Maintenance transaction used to reset passwords, lock and unlock user accounts, and manage every other detail of a SAP user's master record. SU01 is one of the very first transactions any SAP Basis administrator or security team member learns, because forgotten passwords and locked accounts are among the most common support requests in any SAP S/4HANA or ECC 6.0 landscape. In this guide we cover exactly how to reset or change a user's password, how to lock and unlock a user, what each option on the SU01 initial screen does, why the "Too Many Attempts" error appears, and the security best practices every administrator should follow before making any change. Whether you are a fresher learning SAP security for the first time or an end user trying to understand what your Basis team just did to your account, this guide explains it step by step.

SAP login screen showing too many failed login attempts error

A locked SAP logon screen after too many failed password attempts - exactly the kind of issue SU01 is used to fix.

🔑

Reset or Change a Password

Step-by-step instructions to change any user's password using SU01, including what happens on the user's next logon.

🔒

Lock And Unlock a User

How administrators lock a user account for security reasons, and how to unlock one after too many failed login attempts.

⚙️

Every SU01 Option Explained

Create, Change, Display, Delete, Copy, Lock/Unlock, and Change Password - what each option on the initial screen actually does.

SU01 Password Reset
Lock / Unlock User
SAP Security Basics
Too Many Attempts
SU10 Mass Maintenance
FAQ

⚙️ What Is SU01? The User Maintenance Transaction

SU01 is the standard SAP transaction code used to maintain user master records - the underlying data that defines who a SAP user is, what they are allowed to do, and how they log in. It works the same way in both SAP S/4HANA and the older SAP ERP ECC 6.0.

🔎 In Plain Terms

Every person who logs in to SAP has a user master record stored in the system. That record holds their username, their assigned roles and authorizations, their password, their email address, and a lock status (locked or unlocked). Transaction SU01 is the screen administrators use to view and change any part of that record - most commonly to reset a forgotten password or unlock an account after too many failed login attempts.

Important: before making any change in SU01, make sure you have administrator authorization in your system, and follow your company's password and security policies. It is also good practice to inform the affected user once their password has been changed.

To get started, go to the SAP command field, type SU01, and press Enter. The screen below is what you will land on once the transaction opens.

SAP transaction SU01 user maintenance entry screen

The SU01 initial entry screen, where you type in the user ID before choosing Create, Change, Display, or another action.

The Seven Options on the SU01 Initial Screen

When you open SU01 and enter a user ID, you will see several action options. Here is exactly what each one does.

Create
New User Setup

Used to create a brand-new SAP user, defining the username, user type, and initial password. Administrators use this option whenever a new employee or consultant needs system access.

✏️
Change
Edit Existing User

The most frequently used option. Lets an administrator update an existing user's name, contact details, password, roles, validity dates, or lock status.

👁️
Display
View Only

Shows the complete details of a user account in read-only mode, letting an administrator review settings without the ability to make any changes.

🗑️
Delete
Permanent Removal

Permanently removes a user account from the SAP system. Typically used when an employee leaves the company, after appropriate approval and data retention checks.

📋
Copy
Replicate a Template User

Replicates an existing user's roles and settings to quickly create a new user with the same access profile - useful for onboarding employees with similar job roles.

🔓
Lock / Unlock
Logon Data Tab

Found under the Logon Data tab. Administrators use this to block a user's access entirely, or to remove a lock after a password issue or security concern has been resolved.

SAP SU01 initial screen showing Create, Change, Display, Delete, Copy, Lock/Unlock and Change Password options

All seven action buttons on the SU01 initial screen, ready to use once you've entered a valid user ID.

It's worth noting that none of these buttons actually do anything until you have typed a valid user ID into the field above them and pressed Enter at least once - SAP needs to know which user record you intend to work with before any of Create, Change, Display, Delete, Copy, or Lock/Unlock becomes meaningful. A frequent beginner mistake is clicking Change with the user ID field still blank, which simply returns an error rather than opening a record.

💡

The Change Password option: this is the seventh and most commonly searched-for action. Only administrators with the right authorization can use it to help a user change their password when they have forgotten it or been locked out.

🔑 How to Reset or Change a SAP User Password Using SU01

Follow these steps exactly to change or reset a user's password in SAP S/4HANA or ECC 6.0. The process takes less than a minute once you are familiar with it.

01

Open Transaction SU01

Log in to SAP and type SU01 in the command field at the top left, then press Enter to open the User Maintenance screen.

T-Code: SU01
02

Enter the User ID and Click Change

Type the username of the account whose password needs resetting, then click the Change (pencil) icon to open that user's master record.

03

Open the Logon Data Tab

Inside the user's record, click the Logon Data tab. This is where the password fields and the lock/unlock status are located.

04

Click "Change Password"

Select the Change Password button or field. Enter the new password, then enter the exact same password again in the Repeat Password field to confirm there is no typing mistake.

05

Save the Changes

Press Enter or click the Save icon. SAP will display a confirmation message that the password was changed, along with the date and time of the update.

06

Inform the User

Notify the user that their password has been reset, following your company's security policy. Most systems will prompt the user to set their own new password the next time they log on.

Here is what the confirmation actually looks like on screen once you save - SAP gives you two clear visual signals that the password change was accepted.

SAP password change confirmation message after saving SU01 SAP SU01 logon data tab showing password changed status

Left: the system message confirming the password was changed. Right: the Logon Data tab reflecting the updated status after saving.

Tip: after saving, scroll down on the Logon Data tab to view the "Password changed on" date and other status fields - this confirms exactly when the change took effect and can help when troubleshooting login issues later.

🔒 How to Lock or Unlock a SAP User Account

Locking and unlocking is the second most common SU01 task. A user account can be locked manually by an administrator for security reasons, or automatically by the system after repeated failed login attempts.

⚠️ The "Too Many Attempts" Error

"Too Many Attempts" is a message that appears when a user enters the wrong password too many times in a row, exceeding the limit configured in the system (commonly 3 to 5 attempts). To protect the account from brute-force guessing, SAP automatically locks it. The user cannot log in again until an administrator removes the lock using SU01, even if they later remember the correct password.

01

Open SU01 and Select Change

Enter transaction SU01, type the locked user's ID, and click Change to open their record.

02

Go to the Logon Data Tab

Open the Logon Data tab, where the current lock status of the account is displayed.

03

Use the Lock/Unlock Option

Click the Lock or Unlock icon as needed. Unlocking removes any failed-attempt lock immediately, allowing the user to try logging in again.

04

Save and Confirm

Save the change. It is good practice to also reset the user's password at the same time if the lockout was caused by a forgotten password, rather than just unlocking the old one.

SAP SU01 logon data tab showing password change date and account status fields

Once a lock is cleared or a password is reset, the Logon Data tab also shows the change timestamp and current status fields - useful evidence when you need to confirm an action was completed.

💡

Bulk unlocking: if many users are locked at once - for example after a company-wide password policy change - administrators can use transaction SU10 to lock, unlock, or update multiple user accounts in a single mass operation instead of repeating SU01 individually for each user.

🧩 Real-World SU01 Scenarios Every Administrator Will See

Reading the steps in isolation only tells half the story. In a live SAP landscape, password and lock issues almost always arrive wrapped in some kind of business urgency - a month-end deadline, a new joiner who needs access immediately, or a consultant who has just returned from leave. Walking through a few realistic situations makes the SU01 process far easier to apply when a ticket actually lands in your queue.

🌙
The Monday-Morning Lockout
Most common help-desk ticket

A finance user returns from the weekend, mistypes a password they changed on Friday, tries three or four more times "just to be sure," and ends up locked out right as month-end closing begins. The fix is the same Lock/Unlock flow covered above, but speed matters here - a delayed unlock during closing can hold up postings for an entire team, so many companies treat this category of ticket as priority one for the SAP security desk.

🆕
First-Day Access for a New Joiner
Create + initial password

HR confirms a new employee's start date, and the SAP team uses the Create option in SU01 to set up the account with a temporary initial password. The system is normally configured to force a password change the very first time that user logs on, which is exactly why administrators should never reuse the same "Welcome123"-style password across multiple new hires without that forced-change setting enabled.

✈️
Returning From Extended Leave
Expired password + dormant account

A consultant or employee returns after months of leave and finds their account has been automatically locked due to inactivity, on top of a password that expired long ago under the company's rotation policy. Here the administrator typically needs to do two things in the same SU01 session - unlock the account and reset the password - rather than assuming one fix alone will restore access.

🔁
Company-Wide Policy Change
SU10 mass maintenance

Security audit findings sometimes force an organisation to roll out a stricter password policy overnight, which can lock out dozens of users simultaneously if everyone's existing password suddenly fails the new complexity rule. This is precisely the situation SU10 exists for - rather than opening SU01 fifty separate times, the administrator selects all affected users and resets or unlocks them in a single batch action.

The pattern to notice: almost every real-world SU01 ticket boils down to one of three root causes - a forgotten or expired password, too many failed login attempts, or a dormant account that has been automatically locked by the system. Once you can recognise which of the three you're dealing with, choosing between Change Password, Lock/Unlock, or both becomes a quick decision rather than a guessing game.

⌨️ SU01 and Related SAP Security T-Codes

Essential SAP User Administration T-Codes
T-CodePurpose
SU01Create, change, lock/unlock, and maintain individual SAP user master records, including passwords.
SU01DDisplay-only version of SU01 - lets a user view account details without authorization to change anything.
SU10Mass user maintenance - lock, unlock, or update many user accounts at once instead of one at a time.
SU3Lets a logged-in user maintain their own profile, defaults, and personal settings (not other users' accounts).
SUIMUser Information System - used to search and report on users, roles, and authorizations across the system.
PFCGRole maintenance - used to create and assign the authorization roles that get linked to a user via SU01.

🛠️ Troubleshooting Common SU01 Problems

Even with the right steps followed, SU01 occasionally throws an error or behaves in a way that confuses a new administrator. The table below covers the issues that come up most often, along with what is usually causing each one.

Common SU01 Errors and What They Usually Mean
SymptomLikely Cause and Fix
"User is locked" message reappears right after unlockingThe user is likely entering the same wrong password again and re-triggering the failed-attempt lock. Reset the password instead of only unlocking, and confirm the new password with the user directly.
Password change is accepted but the user still cannot log inSome systems require the new password to be confirmed at first logon before it becomes fully active, or the user may be logging into a different SAP client or system than the one where the password was changed.
"Not authorized" error when opening SU01The logged-in user does not have the SU01 authorization object assigned to their role. This needs to be resolved by the Basis or security team adjusting role assignments, not by retrying SU01 itself.
New password is rejected as "not complex enough"The password does not meet the system's configured complexity rules - commonly a minimum length, a mix of upper and lower case, and at least one number or special character. Try a longer password that mixes all of these.
Lock/Unlock option appears greyed outThe administrator's own authorization may not extend to that particular user group, or the user record may currently be locked centrally rather than just at the application level - check with your Basis team if this persists.
Changes in SU01 don't seem to saveConfirm that Enter or Save was actually pressed after each change - SAP requires an explicit save action, and simply navigating away from the tab will discard unsaved edits.
💡

When in doubt, check the Logon Data tab first. Most "did the change actually work" questions can be answered immediately by looking at the password-changed timestamp and current lock status on that tab, rather than asking the user to try logging in again and waiting for them to report back.

✅ SU01 Best Practices - What to Do and What to Avoid

Do This
Always confirm the requester's identity before resetting a password
Follow your company's password complexity and rotation policy
Inform the user as soon as their password or lock status changes
Use SU10 for bulk lock/unlock operations instead of repeating SU01
Review the Logon Data tab to confirm the change actually took effect
Avoid This
Sharing SU01 access with users who do not need administrator rights
Setting an obvious or default password without forcing a change on next logon
Unlocking an account without verifying why it was locked in the first place
Forgetting to log out of SU01 or close the session on a shared admin terminal
Deleting a user without checking dependent data, approvals, or retention rules

❓ SAP SU01 - Frequently Asked Questions

The most commonly searched questions about SU01, password resets, and user locking. Click each question to see the answer.

Q1 How do I reset a SAP user password using SU01?
✅ Answer

Run transaction SU01, enter the user ID, click Change, open the Logon Data tab, click Change Password, enter and repeat the new password, then save. The user will typically be prompted to choose their own new password on next logon.

Q2 What does "Too Many Attempts" mean in SAP?
✅ Answer

It means a user entered an incorrect password too many times in a row, exceeding the system's configured limit. SAP automatically locks the account after this limit is reached, and an administrator must unlock it using SU01 before the user can log in again.

Q3 How do I unlock a locked SAP user account?
✅ Answer

An administrator with the right authorization should run SU01, enter the user ID, click Change, go to the Logon Data tab, and use the Lock/Unlock option to remove the lock. For unlocking several users at once, transaction SU10 is more efficient.

Q4 What is the difference between SU01 and SU01D?
✅ Answer

SU01 is used to create, change, lock, unlock, and maintain SAP user master records, including passwords and roles. SU01D is the display-only equivalent, letting someone view account details without the authorization to make any changes.

Q5 Can a user change their own SAP password without an administrator?
✅ Answer

Yes. Most SAP systems let end users change their own password directly at the standard SAP logon screen using the New Password option, without needing SU01 access. Administrators normally use SU01 only when a user is locked out or has completely forgotten their password.

Q6 Who has authorization to use SU01 in SAP?
✅ Answer

Access to SU01 is restricted by authorization objects, typically held by SAP Basis administrators or the security team. Regular end users are not normally given SU01 access, since it can modify other users' accounts, roles, and password settings.

Q7 Does SU01 work the same way in SAP S/4HANA and SAP ECC 6.0?
✅ Answer

Yes. SU01 and the Logon Data tab work in essentially the same way across SAP S/4HANA and ECC 6.0, since user master record maintenance is a stable, long-standing part of SAP Basis functionality that has not fundamentally changed between these releases.

Q8 Why does the system keep rejecting my new password as "not complex enough"?
✅ Answer

SAP systems are usually configured with password policy parameters that enforce a minimum length and a mix of character types, such as uppercase letters, lowercase letters, and at least one number or special character. If a new password is rejected, try a longer password that combines all of these character types rather than repeating a simple pattern.

Q9 Should I reset the password or just unlock the account?
✅ Answer

It depends on why the account was locked. If the user genuinely forgot their password, unlocking alone won't help - you also need to reset the password. If the lock happened because of a typing mistake and the user is confident they remember the correct password, simply unlocking the account may be enough. When in doubt, doing both at the same time avoids a second support ticket.

Q10 How long does an SAP password normally stay valid before it expires?
✅ Answer

This is controlled by password policy parameters set by each organisation's Basis or security team rather than by a fixed SAP default, so the validity period varies from company to company - commonly somewhere between 30 and 90 days. If a password has expired, SAP will normally prompt the user to set a new one automatically at their next logon rather than requiring an administrator to intervene.

Q11 Can SU01 be used to assign roles and authorizations to a user?
✅ Answer

Yes. Alongside passwords and lock status, SU01 also includes a Roles tab where administrators can assign or remove the authorization roles a user holds. Those roles themselves are usually built separately in transaction PFCG, and SU01 is simply where they get linked to a specific person's account.