Using SAP User types correctly
The SAP user types are often not used correctlys. This article will help to clear up the most common misunderstandings.
by Frank Wagner on 6/18/2019
Again and again I encounter some misunderstandings with the customer about the user types in SAP (classical ABAP user administration - su01).
The following understanding of user types is often encountered:
- Dialog: for users
- Batch / System: For background users
- Service: for Internet users
- Communication: for RFC user
- Reference: as copy template for new users
Unfortunately, this is so wrong or outdated, because SAP has already changed the meaning of user types in Release 4.6C (see SAP Note 327917).
The main differences between user types today are their behavior when changing passwords and logging on to the GUI:
| User type | Logon to | Password expiration | Password change | SSO Tickets |
|---|---|---|---|---|
| Dialog | GUI/RFC | Yes | Yes | Yes |
| System | RFC | No | No | No |
| Service | GUI/RFC | No | No | No |
| Communications | RFC | Yes | Yes | Yes |
| Reference | None | n/a | n/a | n/a |
RFC communication
In particular, the user types System and Communication are often used incorrectly.
The type Communication should only be used if an end user - with the option of changing the password - is also connected by RFC. For example, with tools such as the BEx Analyser or the DVS Easy Doc. Management. However, this requires that the RFC tool is also able to make password changes. As a rule, this only applies to a few RFC tools.
If the end user has to work with the GUI at least occasionally, it is again a dialog user.
The type System, on the other hand, must be used for all other RFC connections - for example, for the fax server connected by RFC. Interestingly, this has not yet got around completely at SAP either: when I set up Solution Manager 7.0 for the first time a few years ago, SMSY generated all users with communication - in the meantime this error has been corrected.
You notice this error whenever you change the password rules so that they expire: suddenly the RFC connections no longer work because the passwords of the communication users expire. You should therefore check the user types for correct assignment before activating the password process.
Service
As you can see from the list, service users are able to work in the GUI and are not subject to the password flow. This means that they are also suitable for use as emergency or admin users - if you set your emergency user to Service, you prevent the user from forgetting to re-enter the expired emergency user password in the password list in the hectic of an emergency access.
Unfortunately, in many system security guides, you can still find that service users should only be used for Internet communication - so service users are often criticized in system audits.
SSO logon tickets are another trap for service users. These are used for passwordless logon between SAP systems. SSO tickets are not generated for service users. Therefore, do not use the service users for all your administrators, as they may encounter unusual logon problems.
Reference
Interesting is the use of a reference user. You can enter this in the "Roles" tab in the user profile. Thus the user "inherits" all authorizations of the reference user.
However, you should be careful with this, as it becomes more difficult to trace the authorizations of a user. However, if you have already reached the maximum number of profiles for a user, you can use this "trick" to transfer some of the role assignments to the reference user.
- Author: Frank Wagner