There are several reasons. The main ones are:

- They they can change their own passwords, so the client application in the exchange can be used for DoS attacks.

- They can issue logon tickets to the client, so the client application can use the target as a "stepping stone" to other systems.

- The authority-checks are slightly stricter for SYSTEM type users, so Communication users cannot be protected in the same way.

- Communication type users are not exempted from all of the (optional) password rules (validity, policy compliance) so will prevent you from using them.

In the security wiki there is infos for you on how to go about tracing, mapping and working out the "cardinality" of connections from and to your system (which was your real question).

Just do a search and feel welcome to contribute to the wiki if you have some good tips.

Cheers,

Julius

Thanks Julius

I never really did understand the difference between those two apart from the password change.

And now I've forgotten where I live (new in - old out)... D'oh!

Kind regards

David

> Communication type user is meant for SAP 's own usage .... like installation defaulted RFCs, background users for some SAP house keeping Jobs etc.

>

> System type user id is a similar kind (not exactly) of user id for Customer 's own usage.

Hmm... this looks very suspect to me. Can you reference an official source for it (because it should be changed).

I asked SAP to change the help.sap.com documentation some time ago and there are many SAP Notes which confirm that SAP only uses the SYSTEM type user now.

An exception in user SAPCPIC still, but for that one the recommendation is to delete the user ID completely if you are not using and have disabled CPIC calls.

If this is wrong... then I'll eat my hat...

Cheers,

Julius

I plan to finish it by year-end. You are all welcome to chip in - that is what wikis are about.

I added a general comment upfront on the importance of the user type.

Cheers,

Julius

Edited by: Julius Bussche on Sep 30, 2010 9:53 PM

>

> --> sure? I thought non dialog users are not charged....(that is so in my 7.0 system....
> 
> b.rgds, Bernhard

They are free of charge ... and <phew> if they were not, our PI/XI-system would definitely ruin us! That system creates userIDs for every process!

Assign them license-type 91 (Test) (that should work for every kind of price-list you have signed your contract for).

Dipanjan was refering only to Communication type users. They are now intended to be used by human individuals each having their own communication type user ID - so they are license relevant, or should be...

SYSTEM and SERVICE type users are by design not intended to be license relevant.

Cheers,

Julius

Communication Users

If there are technical users in use and they fall into one of the categories below, they can be classified as test users (ID 91).  

Communication
Cross-system activities, not capable of interaction
    *
      Batch Input
    *
      External RFC
    *
      CPIC 

System

System  	System-dependent and system-internal activities, not capable of interaction  	
Internal RFC
Background processing

Service

Service  	System access (anonymous) used jointly by different users, not capable of interaction  	
Anonymous system access (Internet user)

For all SAP Pricelist types - published at service.sap.com/licenseauditing

From a licesing PoV (as of now) they are '91' (free of charge) - the main criterium being: interaction. If every dialogue-user would have her/his own communication user (for whatever purpose ... ) the license-data would still be compressed and the license type with the highest monetary value will be billed (in named user measurement).

Edited by: Mylène Dorias on Oct 4, 2010 12:54 PM

Edited by: Mylène Dorias on Oct 4, 2010 12:55 PM

I think we need to get away from the assumption that a "technical user" is anything other than a Dialog type user.

Unfortunately legacy documentation and urban legends do not make this shift very intuitive...

Cheers,

Julius

Please think of the 3.1I / 4.5B installations that are still out there ... and will be in extended maintenance forever! At that time there was no such thing as 'Service' - User ...

>

> I'm only referring to those releases where the user type SERVICE exists - and that's not 3.x, 4.0x or 4.5x.
> The user-type COMMUNICATION, however, also exists in those old releases.
> Kindly notice the release-validity information of note 622464.
> 
> Cheers,
> Wolfgang

I know that note by heart

And -obviously- I failed to make myself clear - of course there was user-type 'Communication' or 'CPIC' which -at that time- was free of charge - which probably is the reason it still is free of charge (downward compatibility).

>

 
> PS: "nothing is forever" ...

I now I failed at an attempt at sarcasm ... I think, I should go home now

>

 
> PS: I can even remember R/3 2.1G ...
> 

So do I. The memory alone is another reason to go home

>

> We are still on 4.6C   

Oh!!

Now we please need your kernel release and patch level in order to decide what to advise ...

You should still change the usrr type to SYSTEM and check there are to type 'D' users in USR02 either!

Cheers,

Julius

>

> You should still change the usrr type to SYSTEM and check there are to type 'D' users in USR02 either!
> 
> Cheers,
> Julius

Only after having checked the kernel/patch, otherwise you might run into problems [like this one|https://service.sap.com/sap/support/notes/760414].

Okay, we don't know whether the kernel hasn't been patched in the past 6 years, nor whether CPIC communication is being used at all - or possibly even param login/disable_cpic = 1 would have made an even shorter audit out of this user type aspect of the original question.

In short to summarize: You can still use Communication type users for when the application user in the client side "owns" the ID and is permitted to change the password, but you simply want to achieve that they cannot logon via the SAPGui logon screen. By implication, you should not save the password of any Communication type users into logon data storages (SM59, SICF, etc) in the same way that you should not do so for Dialog type users.

If you want to use "hardwired" users for system communication or making services available on the system, use SYSTEM type users or respectively SERVICE type users. Note that with SERVICE type users the remote callers can not only debug their own applications, but also the backend ABAP applications in the context of the connection user, and with the authorizations of the user entered in the connection (if authorized for debugging - even display debugging is critical here!).

Cheers,

Julius