Summary -

SAP Basis administrator control the access to applications by creating users, maintaining the same users. Users can be collected in groups according to the criteria in a company or a department and based on roles they perform in the project.

Roles can be defined to either users individually or to the user group. Roles define the user’s authorization levels to navigate or access the specific set of functions or crucial applications.

Authorizations are the key building blocks of SAP security system. Authorization is the known process of assigning designated values to fields present in authorization objects.

Access to all system functionality in SAP is achieved through a compound set of authorizations. If the users do not have the necessary authorizations to perform a certain action in the system, the predefined message: “You are not authorized…” is displayed on the status bar of the screen.

A user administration includes creating, managing and controlling access to the R/3 system, various R/3 user types and its data. The SAP NW Application Server (AS) Java includes the identity management application for administration of users, groups, and roles. User’s administration major tasks are

  1. Creating user
  2. Locking or Unlocking User
  3. Deleting User
  4. Approving or rejecting users

The below diagram explains how users are connected to the servers.

User Activities

SAP User Types -

There are 5 different user types available in SAP system.

  1. Communication
  2. Dialog
  3. Reference
  4. Service
  5. System

Communication Users -

Users are not allowed/possible to logon using SAP GUI and can't able to access the data through SAP GUI screens. Users are allowed to change the password if expired using external link.

SAP system always checks for the password expiry, initial password and prompts when it requires to change depends on the logon method (interactive or non-interactive).

These users main purpose is to use for external RFC calls. These users can access the SAP system data through frontend or external applications.

Dialog Users -

Users are allowed to logon using SAP GUI and can able to access the data through SAP GUI screens. System validates the password expiration, initial password and multi-logons.

The user can change the password by their own using SAP GUI. These users are individual users and individual personalized system access allowed.

Reference Users -

Users are not allowed/possible to logon using SAP GUI and can't able to access the data through SAP GUI screens. System doesn't check for initial password and password expiration.

Users for general, non-person related which allows the assignment of additional authorizations to the users like internet users. These users used to give authorization to other users.

Service Users -

Users are allowed to logon using SAP GUI and can able to access the data through SAP GUI screens. System doesn't check for initial password and password expiration.

Multiple logins are allowed for this kind of users. Users are not allowed to change the password and only administrator can change the password. These users have very restricted/minimum authorizations.

There type users are created for anonymous users. After an individual authentication, an anonymous session begin with service user can be continued as person-related session with a dialog user.

System Users -

Users are not allowed/possible to logon using SAP GUI and can't able to access the data through SAP GUI screens. System doesn't check for initial password and expiration of password.

Users are related System-related and internal system processes. The password change requirement does not apply to these user’s passwords and it cannot be initial or expired.

Only user administrator can change the password and multiple logons are permissible. These users are for background processing, external and internal RFC calls.