https://community.sap.com/t5/application-development-and-automation-discussions/communication-vs-system-user-types/m-p/7927129#M1599357 <HTML><HEAD></HEAD><BODY><P>All:</P><P></P><P>I was researching something else when I came across an article or note (forgot already) but what I do remember is that SAP was moving more towards System ids and not using Communication Ids. Furthermore Communication ids could be changed over to System ids with no impact (to account behavior).</P><P></P><P>My searches have come up short and now seeking out to see if any one read this or has insights into this.</P><P></P><P>- Matt</P></BODY></HTML> Tue, 21 Jun 2011 20:11:48 GMT Former Member 2011-06-21T20:11:48Z https://community.sap.com/t5/application-development-and-automation-discussions/communication-vs-system-user-types/m-p/7927129#M1599357 <HTML><HEAD></HEAD><BODY><P>All:</P><P></P><P>I was researching something else when I came across an article or note (forgot already) but what I do remember is that SAP was moving more towards System ids and not using Communication Ids. Furthermore Communication ids could be changed over to System ids with no impact (to account behavior).</P><P></P><P>My searches have come up short and now seeking out to see if any one read this or has insights into this.</P><P></P><P>- Matt</P></BODY></HTML> Tue, 21 Jun 2011 20:11:48 GMT https://community.sap.com/t5/application-development-and-automation-discussions/communication-vs-system-user-types/m-p/7927129#M1599357 Former Member 2011-06-21T20:11:48Z https://community.sap.com/t5/application-development-and-automation-discussions/communication-vs-system-user-types/m-p/7927130#M1599358 <HTML><HEAD></HEAD><BODY><P>What were your search terms?</P><P></P><P>There are several discussions about this on SDN and the better ones reference SAP Note 622464.</P><P></P><P>There are also many other SAP notes which describe symptoms of this user type problem in applications (Workflow, STMS, IS-* ... all the usual suspects <SPAN __jive_emoticon_name="happy"></SPAN></P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Tue, 21 Jun 2011 20:44:04 GMT https://community.sap.com/t5/application-development-and-automation-discussions/communication-vs-system-user-types/m-p/7927130#M1599358 Former Member 2011-06-21T20:44:04Z https://community.sap.com/t5/application-development-and-automation-discussions/communication-vs-system-user-types/m-p/7927131#M1599359 <HTML><HEAD></HEAD><BODY><P>Julius,</P><P></P><P>These are definately helpful. As for the part around moving away from "Communcation" user types and only use "System", any thoughts?</P><P></P><P>I know eRecruit needs to use Communication users.</P><P></P><P>- Matt</P><P></P><P>Edited by: Matt Urban on Jun 21, 2011 1:57 PM</P></BODY></HTML> Tue, 21 Jun 2011 20:55:47 GMT https://community.sap.com/t5/application-development-and-automation-discussions/communication-vs-system-user-types/m-p/7927131#M1599359 Former Member 2011-06-21T20:55:47Z https://community.sap.com/t5/application-development-and-automation-discussions/communication-vs-system-user-types/m-p/7927132#M1599360 <HTML><HEAD></HEAD><BODY><PRE><CODE><P></P><P>I know eRecruit needs to use Communication users.</P><P></P></CODE></PRE><P>There is a use-case for this when the end-user should be named as the communication partner but should not be SAPGui capable.</P><P></P><P>Communication users are personalized backend users for real humans in this case, who can also change their own passwords via non-SAP protocols.</P><P></P><P>In those cases you typically use real SSO anyway and delete the password, so can also use SYSTEM users for them if there are no licensing implications and they do not / should not be able to start external http debugging calls to the backend...</P><P></P><P>I am not aware of any defendable use-case for COMMUNICATION type users anymore, but suspect that you want HR applicants to have their own accounts in the backend and they are still using their own named IDs and passwords of the backend sytem. Okay... maybe there is a use case still.</P><P></P><P>When making the change, you need to consider:</P><P></P><P>SYSTEM type users cannot change their own passwords.</P><P>SYSTEM type users do not need to change their own passwords based on password rules.</P><P>SYSTEM type users cannot <U>issue</U> SAP login tickets, but <STRONG>can</STRONG> accept them if issued by the calling system (external portal?).</P><P></P><P>In all three cases, you have a higher level of security <STRONG>against</STRONG> DoS attacks and client / server side "identity hoppers" (proprietary terminology of Julius Bussche...:-) by using SYSTEM type users.</P><P></P><P>As of release 7.30 you can also assign security policies directly to the users which will give them a different password policy to follow than the RZ11 login parameters (until they pass the interview... and become employees, etc).</P><P></P><P>I am not familiar with eRecruit. Does the implemention guide recommend COMMUNICATION type users explicitly?</P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Tue, 21 Jun 2011 21:28:22 GMT https://community.sap.com/t5/application-development-and-automation-discussions/communication-vs-system-user-types/m-p/7927132#M1599360 Former Member 2011-06-21T21:28:22Z https://community.sap.com/t5/application-development-and-automation-discussions/communication-vs-system-user-types/m-p/7927133#M1599361 <HTML><HEAD></HEAD><BODY><PRE><CODE><P> </P><P>In all three cases, you have a higher level of security <STRONG>against</STRONG> DoS attacks and client / server side "identity hoppers" (proprietary terminology of Julius Bussche...:-) by using SYSTEM type users. </P><P></P></CODE></PRE><P> </P><P></P><P>Interesting statement. Could you explain or provide documentation into how-so? Its my understanding that both System and Communication user types can be leveraged for external RFC connections and system-to-system communications and would be suspect to DoS &amp; "identity hopping" (C) Julius Bussche. </P><P></P><P></P><P>I have marked this thread as answered but your statement has sparked an intriguing path I would like to travel down.</P><P></P><P>- Matt</P></BODY></HTML> Tue, 21 Jun 2011 21:39:38 GMT https://community.sap.com/t5/application-development-and-automation-discussions/communication-vs-system-user-types/m-p/7927133#M1599361 Former Member 2011-06-21T21:39:38Z https://community.sap.com/t5/application-development-and-automation-discussions/communication-vs-system-user-types/m-p/7927134#M1599362 <HTML><HEAD></HEAD><BODY><P>If you can interactivately change the password (as is the case with COMMUNICATION type users), then you can:</P><P></P><P>a) Break the existing interface(s) as their previously correct passwords fail.</P><P>b) Logon with the new password from your own client application where you have more access.</P><P>c) Logon to systems which issue SSO2 logon tickets and then find interfaces which make subsequent calls to other systems.</P><P></P><P>For me these are 3 very good reasons to avoid COMMUNICATION type user ID's, particularly if they have saved logon data in connection configurations (SM59, etc).</P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Tue, 21 Jun 2011 21:59:39 GMT https://community.sap.com/t5/application-development-and-automation-discussions/communication-vs-system-user-types/m-p/7927134#M1599362 Former Member 2011-06-21T21:59:39Z https://community.sap.com/t5/application-development-and-automation-discussions/communication-vs-system-user-types/m-p/7927135#M1599363 <HTML><HEAD></HEAD><BODY><P>Thanks great points.</P></BODY></HTML> Tue, 21 Jun 2011 22:00:57 GMT https://community.sap.com/t5/application-development-and-automation-discussions/communication-vs-system-user-types/m-p/7927135#M1599363 Former Member 2011-06-21T22:00:57Z https://community.sap.com/t5/application-development-and-automation-discussions/communication-vs-system-user-types/m-p/7927136#M1599364 <HTML><HEAD></HEAD><BODY><P>When I read your answers I feel like I hardly know anything in SAP security. <SPAN __jive_emoticon_name="sad" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.sap.com/1024/images/emoticons/sad.gif"></SPAN></P></BODY></HTML> Fri, 03 Oct 2014 10:47:51 GMT https://community.sap.com/t5/application-development-and-automation-discussions/communication-vs-system-user-types/m-p/7927136#M1599364 Former Member 2014-10-03T10:47:51Z https://community.sap.com/t5/application-development-and-automation-discussions/communication-vs-system-user-types/m-p/7927137#M1599365 <HTML><HEAD></HEAD><BODY><P>Well... you used the search (winner) and now you know this (another winner), so you will be fine..&nbsp; <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Fri, 03 Oct 2014 11:18:38 GMT https://community.sap.com/t5/application-development-and-automation-discussions/communication-vs-system-user-types/m-p/7927137#M1599365 Former Member 2014-10-03T11:18:38Z