You
can specify the following user types:
● Dialog
(A)
Individual system access (personalized)
It is possible to log on using SAP GUI. The user is therefore capable
of interaction through SAP GUI.
The system checks whether the password has expired or is initial.
The user can change his or her password himself or herself.
Multiple dialog logons are checked and, where appropriate, logged.
Purpose: for individual human users (including Internet users)
● System
(B)
System-related and internal system processes.
It is not possible to log on using SAP GUI. The user is therefore
incapable of interaction through SAP GUI.
The password change requirement does not apply to the passwords, that
is, they cannot be initial or expired.
Only a user administrator can change the password.
Multiple logons are permissible.
Purpose: background processing and communication within a system
(internal RFC calls) and between multiple systems (external RFC calls).
Purpose: for example, RFC users for ALE, workflow, TMS, CUA.
● Communications
(C)
Individual system access (personalized)
It is not possible to log on using SAP GUI. The user is therefore
incapable of interaction through SAP GUI.
Although the system checks whether the password has expired or is
initial, the implementation of the requirement to change the password, which
exists in principle, depends on the logon method (interactive or
non-interactive).
The user can change his or her password himself or herself.
Purpose: external RFC calls of individual human users.
● Service
(S)
Shared system access for a larger, anonymous group of
users. Assign only very restricted authorizations for this user
type.
It is possible to log on using SAP GUI. The user is therefore capable
of interaction through SAP GUI.
During a log on, the system does not check whether the password has
expired or is initial.
Only a user administrator can change the password.
Multiple logons are permissible.
Purpose: Anonymous system access (such as for public Web services).
After an individual authentication, an anonymous session begun with a service
user can be continued as a person-related session with a dialog user.
● Reference
(L)
It is not possible to log on to the system.
User type for general, non-person related users that allows the
assignment of additional identical authorizations, such as for Internet users
created with transactions SU01.
To assign a reference user to a dialog user, specify it when
maintaining the dialog user on the Roles tab page. In general, the
application controls the assignment of reference users. This assignment is
valid for all systems in a Central User Administration (CUA) landscape. If the
assigned reference user does not exist in a CUA child system, the assignment is
ignored.
You should be very cautious when creating reference users.
■ If
you do not implement the reference user concept, you can deactivate this field
in accordance with SAP Note 330067.
■ We
also recommend that you set the value for the Customizing switch REF_USER_CHECK
in table PRGN_CUST to "E". This means that only users of type
REFERENCE can then be assigned. Changing the Customizing switch affects only
new assignments of reference users. Existing assignments are retained.
■ We
further recommend that you place all reference users in one particularly secure
user group to protect them from changes to assigned authorizations and
deletion.
