SAP System User types (Dialog, system, communications, service, reference )

You can specify the following user types:

●      Dialog (A)

Individual system access (personalized)

It is possible to log on using SAP GUI. The user is therefore capable of interaction through SAP GUI.

The system checks whether the password has expired or is initial.

The user can change his or her password himself or herself.

Multiple dialog logons are checked and, where appropriate, logged.

Purpose: for individual human users (including Internet users)

●      System (B)

System-related and internal system processes.

It is not possible to log on using SAP GUI. The user is therefore incapable of interaction through SAP GUI.

The password change requirement does not apply to the passwords, that is, they cannot be initial or expired.

Only a user administrator can change the password.

Multiple logons are permissible.

Purpose: background processing and communication within a system (internal RFC calls) and between multiple systems (external RFC calls). Purpose: for example, RFC users for ALE, workflow, TMS, CUA.

●      Communications (C)

Individual system access (personalized)

It is not possible to log on using SAP GUI. The user is therefore incapable of interaction through SAP GUI.

Although the system checks whether the password has expired or is initial, the implementation of the requirement to change the password, which exists in principle, depends on the logon method (interactive or non-interactive).

The user can change his or her password himself or herself.

Purpose: external RFC calls of individual human users.

●      Service (S)

Shared system access for a larger, anonymous group of users.  Assign only very restricted authorizations for this user type.

It is possible to log on using SAP GUI. The user is therefore capable of interaction through SAP GUI.

During a log on, the system does not check whether the password has expired or is initial.

Only a user administrator can change the password.

Multiple logons are permissible.

Purpose: Anonymous system access (such as for public Web services). After an individual authentication, an anonymous session begun with a service user can be continued as a person-related session with a dialog user.

●      Reference (L)

It is not possible to log on to the system.

User type for general, non-person related users that allows the assignment of additional identical authorizations, such as for Internet users created with transactions SU01.

To assign a reference user to a dialog user, specify it when maintaining the dialog user on the Roles tab page. In general, the application controls the assignment of reference users. This assignment is valid for all systems in a Central User Administration (CUA) landscape. If the assigned reference user does not exist in a CUA child system, the assignment is ignored.

You should be very cautious when creating reference users.

■       If you do not implement the reference user concept, you can deactivate this field in accordance with SAP Note 330067.

■       We also recommend that you set the value for the Customizing switch REF_USER_CHECK in table PRGN_CUST to "E". This means that only users of type REFERENCE can then be assigned. Changing the Customizing switch affects only new assignments of reference users. Existing assignments are retained.

■       We further recommend that you place all reference users in one particularly secure user group to protect them from changes to assigned authorizations and deletion.