Show TOC

RFC Connections in the TMSLocate this document in the navigation structure

Communication between SAP systems is implemented using RFC connections, which are generated when the Transport Management System (TMS) is configured. Within a transport domain, all the SAP systems can communicate with each other using RFC.

To prevent unpermitted access to an SAP system, the following generated RFC connections and/or their users are used:

  • Connection for read accesses (TMSADM@<SID>.<Transport Domain Name>)

    This connection is used for all read accesses that do not affect sensitive data. The user TMSADM is created in client 000 in each SAP system. This user has only the following authorizations:

    • Read and write authorization for the common transport directory
    • RFC authorization in the TMS
    • Display authorization in the CTS

    User TMSADM enables you to distribute the basis configuration to all SAP Systems in the domain on the domain controller and to display the import queue.

  • A connection for accesses that cause changes in the target system (TMSSUP@<SID>.<transport domain name>)

    If the authorization for user TMSADM are not sufficient for certain actions, this internal connection always triggers a logon screen in the target system where you must identify yourself with a user name and a password. (You can also change the target client on this logon screen). This user must be authorized to make changes. This means the user must have greater authorization than that of the automatically created user TMSADM.

    This ensures that the user must log on in the target system with a user name and password as soon as a function is executed that causes a change in the target system (viewable on the Alert Viewer).

    Since changes to the import queue and to imports are considered to be critical to security, an explicit logon is needed to perform these changes.

    If you have a large number of SAP systems to manage, this logon procedure can be time-consuming. To combat this, you can activate TMS Trusted Services.

The transport workflow uses two generated RFC connections and users, in the same way as the RFC connections above.

  • Connection for read accesses (TMSWF@WORKFLOW_ENGINE)

    This connection is used for all read accesses that do not affect sensitive data. The user TMSADM_WF is created in the Workflow Engine system/client. This user has the following authorizations:

    • Read and write authorization for the common transport directory
    • RFC authorization in the TMS
    • Display authorization in the CTS
    • Count the work items in the inbox

    The user TMSADM_WF can create transport proposals in the Workflow Engine, and read transport proposals from the database.

  • A connection for accesses that cause changes in the target system

    If the authorizations of the user TMSADM_WF are not sufficient, the same applies as for the user TMSADM.

    Since you can only change transport proposals in the transport proposal inbox or TMS worklist, you must log on to them explicitly.

    For security reasons, we do not recommend extending the authorizations of the user TMSADM_WF.

You can also reset user TMSADM_WF to the default again.