In "USER MAINTENANCE- SU01" --> in the "logon tab" there are 5 different "user type"
1. dialog
2. system
3. communication
4. service
5. reference
Kindly mention the function and role of all the above mentioned user types specifically and how is one user type different from another.
::Dialog (A)::
User type for exactly one interactive user (all logon types including Internet users):
During a dialog log on, the system checks whether the password has expired or is initial. The user can change his or her password himself or herself.
Multiple dialog logons are checked and, where appropriate, logged.
::System (B)::
User type for background processing and communication within a system (internal RFC calls).
A dialog logon is not possible.
The system does not check whether the password has expired or is initial.
Due to a lack of interaction, no request for a change of password occurs. (Only the user administrator can change the password.)
Multiple logons are permissible.
::Communication (C)::
User type for dialog-free communication between systems (such as RFC users for ALE, Workflow, TMS, and CUA):
A dialog logon is not possible.
Whether the system checks for expired or initial passwords depends on the logon method (interactive or not interactive). Due to a lack of interaction, no request for a change of password occurs.
::Service (S)::
User type that is a dialog user available to a larger, anonymous group of users. Assign only very restricted authorizations for this user type:
During a log on, the system does not check whether the password has expired or is initial. Only the user administrator can change the password (transaction SU01, Goto ® Change Password).
Multiple logons are permissible.
Service users are used, for example, for anonymous system accesses through an ITS service. After an individual authentication, an anonymous session begun with a service user can be continued as a person-related session with a dialog user.
::Reference (L)::
User type for general, non-person related users that allows the assignment of additional identical authorizations, such as for Internet users created with transactions SU01. You cannot log on to the system with a reference user.
To assign a reference user to a dialog user, specify it when maintaining the dialog user on the Roles tab page. In general, the application controls the assignment of reference users. This assignment is valid for all systems in a Central User Administration (CUA) landscape. If the assigned reference user does not exist in a CUA child system, the assignment is ignored.
You should be very cautious when creating reference users.
If you do not implement the reference user concept, you can deactivate this field in accordance with SAP Note 330067.
We also recommend that you set the value for the Customizing switch REF_USER_CHECK in table PRGN_CUST to "E". This means that only users of type REFERENCE can then be assigned. Changing the Customizing switch affects only new assignments of reference users. Existing assignments are retained.
We further recommend that you place all reference users in one particularly secure user group to protect them from changes to assigned authorizations and deletion.
No comments:
Post a Comment