Sandeep,

Communication users and system users are both non-interactive accounts. I

consistently use system accounts. I found that communication accounts need to have their password changed on first logon, which is somewhat cumbersome with a non-dialog account....

If you notice RFC user profiles, they usually have SAP_ALL ,SAP_NEW. __There are able to execute the transactions_.

There are reasons for denying SAP_ALL in PS environment.

no-one should have this in any system. SAP_ALL enables you to 'jump'

systems using - for example - tx. SM59. they might in this way also jump to

your PRD system AND -depending on the authorizations of the SM59 user- might then have another SAP_ALL again. this is not to be tolerated.

If you are giving SAP_ALL in production for RFC users,then u need to convenice the aduitors.

other Options for SAP_ALL is _firefighter role

Communication

For this kind of users:-

GUI login is not possible.

Users are allowed to change password through some software in middle tier.

Usage:- These are used for login to system through external systems like web application

System :

GUI login is not possible.

Initial password and expiration of passowrd are not checked.

Usage:- These are used for internal use in system like background jobs.

Service:

GUI login is possible.

Initial password and expiration of passowrd are not checked.

Multiple logins are allowed.

Users are not allowed to change the password. Only admin can change the password

Usage:- These are used for anonymous users. This type of users should be given minimum authorization.

dialog & service both are same,only difference in service user type is No password expiry.

still user is able to logon thry GUI.

Thanks,

Sri