SAP Knowledge Base Article - Public

2613056 - Details of SAP Admin, Support and Technical Users


You want to know what are each type of users available in the system and their functionality.


  • SAP Business ByDesign.
  • SAP Cloud for Customer.


1. Why so many SAP users are necessary?
- As this is a cloud based product, these users are available for different sets of user groups (like Basis Administrators use ADMIN* users and the Customer Support team SUPP* users). As it is not feasible to create users for each of the basis admins in the team, we created users for groups instead of per user. The rest is used for different activities like monitoring/update/upgrade/other provisioning related activities.

2. Which authorizations they have?
- Each user group has different set of authorizations and they have different security policies for them as you can see in the UI. Business related activities are restricted and basis administration authorizations are provided as per the audit compliance. 

3. Why the validity is unlimited?
Even if the validity is unlimited, the users will be locked and will be unlocked based on the requirement. Each and every user request is tracked and is part of an audit.

4. Is there a differentiation possible between dialog and non-dialog users?
Yes, we do have the differentiation. Not all users are dialog.

5. When can support users request an access?

If support users recieve a ticket and realize that they have to access the customer system in order to analyze the problem (for example, if they were not able to replicate and solve the issue in the internal test or development systems), they use the Cloud Access Manager (CAM) tool is to generate temporary access to the corresponding customer system. Support users are not allowed to share these details. The CAM tool keeps a log of which user generated which support user at what date and time. So it is always possible to link a generic support user back to the real person.


Dialog Users:
SAP_ADMIN001-SAP_ADMIN005 -> Operation Admin Users.
SAP_SUPP001 - SAP_SUPP010 -> Support Users.

For these users there are many access levels from L2 to L7 (basic log configuration to full system access). They have to choose the minimal basic requirements for their task.

Service Users:
SAP_ADEM001-SAP_ADEM005 -> Fallback Users for Operation Team.
SAP_SUEM001-SAP_SUEM005 -> Fallback Users for Support Team.

Non-dialog users (Technical):

_SAPH0M3 - This user belongs to User Account SAP_SPC, which is related to the system_setup.
DDIC - for installation, software logistics,  Initial System, Setup Lifecycle Management, Database Statistics Batch Jobs, TP Import Jobs and the ABAP dictionary (SAP_ALL).
SAP_BGRFCSUP - for background RFC connections.
SAP_DOCFSI - fast search index.
SAP_IAMLGN – health check/monitoring.
SAP_LMADM - for provisioning (SAP_ALL).
SAP_LMPRV - for provisioning.
SAP_LMUPD - for provisioning.
SAP_SBB - bgRFC communication user.
SAP_SMDMON - for monitoring.
SAP_SMTP_IN - SMTP inbound communication.
SAP_SPC - automated SPC user self service.
SAP_SYSTEM - for job scheduling.
SAP_TLM - transactional user (RFC).
SAP_WSRT - communication user for webservice.
SAP* - superuser for client and system installation (SAP_ALL).
TMSADM - for transports.
XIB2BCONNECT - communication user to XI system.

Aside from these users, the system creates a technical user whenever a communication arrangement is created. In case the arrangement is removed, the user remains in the system with status blocked.

See Also

Follow-up FAQ KBA: 2757453

Help Document: User Types


Technical, User, Business, End, SAP, Admin, Supp, Authorization, Access, Rights , KBA , SRD-CC-IAM , Identity & Access Management , Problem


SAP Business ByDesign all versions ; SAP Cloud for Customer core applications all versions