How To Fix CNV420 - User &1 is not authorized to lock users

The SAP error message "CNV420 User &1 is not authorized to lock users" typically occurs when a user attempts to lock another user account in the SAP system but does not have the necessary authorizations to perform this action. This is often related to user management and security roles within the SAP environment.
Cause:

Insufficient Authorizations: The user attempting to lock another user does not have the required authorization object to perform user locking operations.
Role Configuration: The roles assigned to the user may not include the necessary permissions for user management tasks.
System Configuration: There may be system-wide settings or restrictions that prevent certain users from locking accounts.

Solution:


Check User Authorizations:

Use transaction code SU53 immediately after the error occurs to analyze the authorization check. This will show which authorization object is missing.
Review the authorization profile assigned to the user who is trying to lock another user.



Modify Roles:

If the user lacks the necessary authorizations, you may need to modify their role or assign a new role that includes the required permissions.
The relevant authorization object for locking users is typically S_USER_AUTH or S_USER_PRO (depending on the specific action being performed).



Consult with Security Administrator:

If you do not have the necessary access to change roles or authorizations, contact your SAP security administrator or BASIS team to request the required permissions.



Testing:

After adjustments are made, test the functionality again to ensure that the user can now lock other users without encountering the error.



Related Information:

Authorization Objects: Familiarize yourself with the relevant authorization objects in SAP that pertain to user management. This includes understanding the fields and values that need to be set for the user roles.
SAP Documentation: Refer to SAP Help documentation for detailed information on user management and authorization concepts.
Transaction Codes:

SU01: User maintenance (to lock/unlock users).
PFCG: Role maintenance (to manage roles and authorizations).
SU53: Display authorization check (to troubleshoot authorization issues).



By following these steps, you should be able to resolve the CNV420 error and ensure that the user has the appropriate permissions to lock other users in the SAP system.