Start of Content Area

Background documentation Authorizations in TMS  Locate the document in its SAP Library structure

Communication between SAP Systems is implemented using RFC connections, which are generated when the Transport Management System (TMS) is configured. Within a transport domain, all the SAP Systems can communicate with each other using RFC.

The following principles apply in the TMS:

To prevent unpermitted access to an SAP System, the two generated RFC connections and/or their users are used:

This connection is used for all read accesses that do not affect sensitive data. The user TMSADM is created in client 000 in each SAP System. This user has the following authorizations only:

User TMSADM enables you to distribute the basis configuration to all SAP Systems in the domain on the domain controller and to display the import queue.

If the authorization for user TMSADM are not sufficient for certain actions, this internal connection always triggers a logon screen in the target system where you must identify yourself with a user name and a password. (You can also change the target client in this logon screen.) This user must be authorized to make changes. This means the user must have greater authorization than that of the automatically created user TMSADM. To do this, give the appropriate authorizations.

This ensures that the user must log on in the target system with a user name and password as soon as a function is executed that causes a change in the target system (viewable on the Alert Viewer).

Because changes to the import queue and to imports are considered to be critical to security, an explicit logon is needed to perform these changes.

If you have a large number of SAP Systems to manage, this logon procedure can be time-consuming. To combat this, you can activate TMS Trusted Services or give multiple authorizations to the user TMSADM generated in the SAP System. Change the user TMSADM in the SAP System in which you want to suppress the logon procedure. This is generally not the transport domain controller. This enables multiple accesses via the connection and an explicit logon in the target system is not required for each access.


If authorizations are extended, it is easier for an anonymous user to make changes to the system.

You can also reset user TMSADM to the default again.

The transport workflow uses two generated RFC connections and users, in the same way as the RFC connections above.

This connection is used for all read accesses that do not affect sensitive data. The user TMSADM_WF is created in the Workflow Engine system/client. This user has the following authorizations:

The user TMSADM_WF can create transport proposals in the Workflow Engine, and read transport proposals from the database.

If the authorizations of the user TMSADM_WF are not sufficient, the same applies as for the user TMSADM.

Since you can change transport proposals in the transport proposal inbox or TMS worklist only, you must log on to them explicitly.

For security reasons, we do not recommend extending the authorizations of the user TMSADM_WF.

You can also reset user TMSADM_WF to the default again.