CTS User Administration and Authentication

CTS uses the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular SAP NetWeaver Application Server for ABAP. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server for ABAP Security Guide also apply to CTS.

In addition to these guidelines, we include information about the standard users that are delivered with CTS:

The table below shows the standard users that are necessary for operating TMS.

Standard Users

User ID	Type	Password	Description
TMSADM	System	The password is user-defined. You specify the password when you configure the domain controller. This password is then valid for the entire domain. You must also use this password in other systems of the domain. In older releases, the default passwords `PASSWORD` or `$1Pawd2&` may exist. Caution Change the default password.	TMSADM is a system user with authorizations limited to certain display and TMS configuration activities. It is created on all ABAP systems in client 000 when TMS is configured. TMSADM has display authorizations, such as the display of system properties transport configuration transport logs and data files (content of transport requests) import queues. TMSADM is also used for the distribution of transport configuration changes to systems of the current transport domain. The user ID and password are stored in the TMSADM* RFC destinations and in the CTS Passwords area in the secure storage of the system under /CTS/PWD/$T$/<domain>/DOMCTL. The default profile is S.A_TMSADM. You must never extend this profile or add a profile or role of your own to the user. For more information about changing the password of user TMSADM, see Changing the Password of User TMSADM. For more information about securing user TMSADM, see Protecting Special Users.
TMSADM_WF	System	One of the default passwords `PASSWORD` or `$1Pawd2&`. Caution Change the password. Recommendation If you use SAP Solution Manager, you can use Quality Gate Management or Change Request Management in SAP Solution Manager for workflow functions.	TMSADM_WF is a system user with authorizations limited to TMS Workflow activities. It is created on all systems that are configured as Transport Workflow Engines in the client of the Workflow Engine during configuration of the TMS Workflow. The default profiles are S_A.TMSADM and S_A.TMSWF. For more information about changing the password of user TMSADM_WF, see SAP Note 2017125 . For more information on configuring the Transport Workflow, see Configuring the Transport Workflow.
DDIC	Dialog	User-defined. It must be set during the installation of the SAP system.	By default, user DDIC is used internally when imports are performed. It is available in all ABAP systems in all clients. Recommendation Change the user that is used for imports by changing the user that is set up for the transport background job (RDDIMPDP). For more information, see Protecting Special Users. If you did not change the user set up for the transport background job to a user other than DDIC, and if user DDIC was locked for security reasons, you need to unlock it temporarily to perform imports. For more information about securing user DDIC, see Securing User DDIC Against Misuse.

User ID

Type

Password

Description

TMSADM

System

The password is user-defined. You specify the password when you configure the domain controller. This password is then valid for the entire domain. You must also use this password in other systems of the domain.
In older releases, the default passwords PASSWORD or $1Pawd2& may exist.
Caution Change the default password.

TMSADM is a system user with authorizations limited to certain display and TMS configuration activities. It is created on all ABAP systems in client 000 when TMS is configured.

TMSADM has display authorizations, such as the display of

system properties
transport configuration
transport logs and data files (content of transport requests)
import queues.

TMSADM is also used for the distribution of transport configuration changes to systems of the current transport domain.

The user ID and password are stored in the TMSADM* RFC destinations and in the CTS Passwords area in the secure storage of the system under /CTS/PWD/$T$/<domain>/DOMCTL.

The default profile is S.A_TMSADM. You must never extend this profile or add a profile or role of your own to the user.

For more information about changing the password of user TMSADM, see Changing the Password of User TMSADM.

For more information about securing user TMSADM, see Protecting Special Users.

TMSADM_WF

System

One of the default passwords PASSWORD or $1Pawd2&.

Caution Change the password.

Recommendation If you use SAP Solution Manager, you can use Quality Gate Management or Change Request Management in SAP Solution Manager for workflow functions.

TMSADM_WF is a system user with authorizations limited to TMS Workflow activities. It is created on all systems that are configured as Transport Workflow Engines in the client of the Workflow Engine during configuration of the TMS Workflow.

The default profiles are S_A.TMSADM and S_A.TMSWF.

For more information about changing the password of user TMSADM_WF, see SAP Note 2017125 Information published on SAP site .

For more information on configuring the Transport Workflow, see Configuring the Transport Workflow.

DDIC

Dialog

User-defined. It must be set during the installation of the SAP system.

By default, user DDIC is used internally when imports are performed. It is available in all ABAP systems in all clients.

Recommendation

Change the user that is used for imports by changing the user that is set up for the transport background job (RDDIMPDP). For more information, see Protecting Special Users.

If you did not change the user set up for the transport background job to a user other than DDIC, and if user DDIC was locked for security reasons, you need to unlock it temporarily to perform imports. For more information about securing user DDIC, see Securing User DDIC Against Misuse.