Show TOC

Background documentationRFC Connections in the TMS Locate this document in the navigation structure

 

Communication between SAP systems is implemented using RFC connections, which are generated when the Transport Management System (TMS) is configured. Within a transport domain, all the SAP systems can communicate with each other using RFC.

To prevent unpermitted access to an SAP system, the following generated RFC connections and/or their users are used:

  • A connection for read access (TMSADM@<SID>.<transport domain name>)

    This connection is used for all read accesses that do not affect sensitive data. The user TMSADMis created in client 000 in each SAP system. This user has only the following authorizations:

    • Read and write authorization for the shared transport directory

    • RFC authorization in the TMS

    • Display authorization in the CTS

    User TMSADM enables you to distribute the basis configuration to all SAP systems in the domain on the domain controller, and to display the import queue.

  • •A connection for accesses that cause changes in the target system (TMSSUP@<SID>.<transport domain name>)

    If the authorizations for user TMSADM are not sufficient for certain actions, this internal connection always triggers a logon screen in the target system where you need to identify yourself with a user name and a password. (You can also change the target client in this logon screen.) This user must be authorized to make changes. This means the user must have greater authorization than that of the automatically created user TMSADM. This ensures that the user must log on in the target system with a user name and password as soon as a function is executed that causes a change in the target system (viewable on the Alert Viewer).

    Since changes to the import queue and to imports are considered to be critical to security, an explicit logon is needed to perform these changes.

    If you have a large number of SAP Systems to manage, this logon procedure can be time-consuming. To combat this, you can activate TMS Trusted Services.

The transport workflow also uses two generated RFC connections and users, in the same way as the RFC connections above.

  • Connection for read access (TMSWF@WORKFLOW_ENGINE)

    This connection is used for all read accesses that do not affect sensitive data. The user TMSADM_WF is automatically created in the Workflow Engine system/client for this connection. This user has the following authorizations:

    • Read and write authorization for the shared transport directory

    • RFC authorization in the TMS

    • Display authorization in the CTS

    • Count the work items in the inbox

    You can use the user TMSADM_WF to create transport proposals in the Workflow Engine, and to read transport proposals from the database.

  • A connection for accesses that cause changes in the target system

    If the authorizations of the user TMSADM_WF are not sufficient, the same applies as described above for the user TMSADM. Since you can only change transport proposals in the transport proposal inbox or TMS worklist, you must log on to them explicitly.

    For security reasons, we do not recommend extending the authorizations of the user TMSADM_WF.

You can also reset user TMSADM_WF to the default again. See also: Resetting User TMSADM_WF.