At the present time in standard SAP it is not possible to authorize user just to (un)lock a user and not to reset his password (v.v.). This is caused by the fact that both actions are controlled via one activity (05) in authorization object S_USER_GRP
In the forum thread Unlock Users various scenario's are mentioned in which it becomes clear that the possibility to distinguish between these 2 actions can be very beneficial in order to be able to meet to local security standards.
1 Comment
Former Member
"... in order to be able to meet to local security standards"
You can use "DESTINATION space" syntax to localize applications, if that is your concern. As compared to "NONE" the S_RFC check does not kick in and you are always "local" even although the BAPI is remote enabled.
I have used this successfully, and you need to restrict access to the S_TCODE = 'SU01' and 'SU01_NAV'... because they are also "local".
Cheers,
Julius