21 Replies Latest reply: Jun 25, 2011 9:37 PM by Julius von dem Bussche RSS

User |TMSADM has no RFC authorization for function group SYST

Patch Downloader
Currently Being Moderated

Hi All,

 

When we release any transports we are getting the above error, this is basically due to the fact that implificaiton of complex password parameters, to supress this we had followed the note 761637.

 

I had regenerated RFCs and reset TMS user, but still no use any ideas?

 

This is definely not the issue with Authorization as user TMSADM has right profiles.

 

Reg,

VV

  • Re: User |TMSADM has no RFC authorization for function group SYST
    Julius von dem Bussche
    Currently Being Moderated

    It might be the reset for some reason did not reset all the relevant user tables in all the systems.

     

    Try logon to the domain controller client 000 (this should be your production system), call transaction SU01 and display TMSADM, enter 'RSET' or 'RBUF' (cannot remember off-hand) into the transaction command window and hit enter. A green "reset" message should appear.

     

    Try the same in the source of the transport (if required).

     

    Alternately run report RSUSR405.

     

    Does the release work after that?

     

    Cheers,

    Julius

  • Re: User |TMSADM has no RFC authorization for function group SYST
    kesagani narayana
    Currently Being Moderated

    hi,

     

     

    we have 21 servers.i have seen the attributes of user "TMSADM" in all the systems.

    for us transports are working fine.

    here i am giving the attributes of user "TMSADM".

    make the changes accodinglly in  su01 and try transports

     

    profile for TMSADM is "S_A.TMSADM"

    no user group for this user

    no user group for ahthorization check

    it is a communicational user

     

     

    make these changes and try .still if problem please let me know

    regards,

    narayana

    • Re: User |TMSADM has no RFC authorization for function group SYST
      Julius von dem Bussche
      Currently Being Moderated

      When you reset the user TMSADM from the domain controller, it will reset (amongst other things) the user type to "SYSTEM".

       

      This means that the user ID is not subject to password change rules (amongst other things).

       

      It also sets somewhat limited access (role S_A.TMSADM) for the user to perform administrative SYSTEM tasks for the TMS (such as, for example, running programs to check the authority, authenticity and location of the actual user, and run the commands required to add or import the files).

       

      Bar these admin tasks, the STMS checks the authority (and prompts for the authenticity) of the calling user (the user who is actually logged on). So SYST (or a more refined FUNC) might even be a missing authorization for the actual user (the one sitting in the chair), and the authority check is failing before the authentication prompt appears?

       

      Cheers,

      Julius

  • Re: User |TMSADM has no RFC authorization for function group SYST
    Patch Downloader
    Currently Being Moderated

    Hi Julius and Narayuan,

     

    Many thanks for your reply, when I reset my TMSADM user  though it says it was reset, but SU01 for TMSAMD user is intact , it did not change the user type to SYSTEM, it kept as it was before Communication data.

     

    I did not get the user to test the release , but I am checking in the RFC connection for this RFS desitnatation and it failes with same error.

     

    SM59=> Particular RFC connection data==> Utilites => test=> Authorization test =>

     

    COnnection test is okay , but authorization test fails and the user is also getting the same error.

     

    TMSADM has profile "S_A.TMSADM"

     

    Reg,

    VV

    • Re: User |TMSADM has no RFC authorization for function group SYST
      Julius von dem Bussche
      Currently Being Moderated
      Patch Downloader wrote:Patch Downloader wrote:

      >

      > ... when I reset my TMSADM user  though it says it was reset, but SU01 for TMSAMD user is intact , it did not change the user type to SYSTEM, it kept as it was before Communication data.

       

      Then the reset is not working (which would be consistent with the note). You can administrate the connections (SM59) and user (SU01) manually now. Try to change the user type in SU01.

       

      >

      > I did not get the user to test the release , but I am checking in the RFC connection for this RFS desitnatation and it failes with same error.

       

      You stated before that releasing the transport was failing, not the authorization test in SM59.

       

      Note that default system settings for the "Connection Test" only verifies that there are no network gremlins between the servers and the RFC settings, it does not verify that the logon was successfull. The "Authorization Test" on the other hand verifies the authentication was successfull and the authorization to perform the RFC call was checked and successfull.

       

      Most likely, the problem is caused either by the user type AND / OR the password is in fact not correct (or is arriving incorrectly - See SAP Note 1023437).

       

      Some other suggestions:

       

      - Check ST22 to see whether more details are available on the error (check source and target destination).

      - Check whether the user doing the release is missing an authorization to use the TMS.

      - Check the value of your system profile parameters auth/rfc_authority_check and rfc/reject_expired_password?

       

      Cheers,

      Julius

  • Re: User |TMSADM has no RFC authorization for function group SYST
    Ashutosh Malushte
    Currently Being Moderated

    Hi,

     

    Well I also got the same problem when I reconfigured the TMS.

    The TMSADM was assigned the profile<font color=blue> S_A.TMSADM </font>by default.

    Then I found out that apart from this profile, the TMSADM needs authorization S_CTS_CONFIG contained in the profile <font color=blue> S_A.SYSTEM </font>

    When I assigned this profile, the authorization check is working fine.

     

    check this thing out and let me know.

     

     

    Regards,

    Ashutosh

  • Re: User |TMSADM has no RFC authorization for function group SYST
    Jingying Li
    Currently Being Moderated

    Hello,

     

    We are experiencing the same issue of getting error when setup STMS: "TMS has no RFC authorization for function group SYST"

     

    We have tried delete and rescreate TMS. Upgrade kernel. But non seems working at this point.

     

    Can you let us know how you get this problem resolved.

     

    thank you

    Jingying

  • Re: User |TMSADM has no RFC authorization for function group SYST
    Dipanjan Sanpui
    Currently Being Moderated

    You already have got many suggestions on your issue. I would like to add one more... playing with Login profile parameters is good but it should not be set in such a fashion that the security for login bacome a pain point. So, make it normal and workable.

    Now you may need to check the following SAP Notes:

     

    456677         User TMSADM has no RFC authorization for function

    1414256          Changing TMSADM password is too complex

    1061649        Upgrade to SAP NetWeaver Process Integration 7.1

    412496                OPEN_DATASET_NO_AUTHORITY, object S_PATH

     

    Please check the version dependency of the above mentioned Notes.

     

    Regards,

    Dipanjan

  • Re: User |TMSADM has no RFC authorization for function group SYST
    Krysta Osborn
    Currently Being Moderated

    Weird that this is close to the top of the list for today. Our Basis Admin is working through a similar issue (not sure what it is exactly) and SAP told her to add the missing auth to profile S_A.TMSADM and then try again.

    • Re: User |TMSADM has no RFC authorization for function group SYST
      Julius von dem Bussche
      Currently Being Moderated

      This is an old and interesting thread with was "bounced" by the above plaintif with a very speculative and bad advice answer. I removed them to avoid further urban legends about non-dialog users being OK with SAP_ALL type access -> nonsense.

       

      In you case you are possibly using the optional "path hook" feature of object S_PATH. This uses a grouping concept and SAP cannot know nor define the groups for your transport directories.

       

      Therefore there is a feature to adjust the standard profile of user TMSADM - but it should only ever have this restricted profile.

       

      Other useful and relatively easy controls for it are:

       

      - User type SYSTEM.

      - Domain controller and TP mounts on prod system.

      - QA steps and backup controller on QA system.

      - Manage the passwords via SNC protection (there is a new report for this now, if you read the notes).

       

      If you give TMSADM more access (as suggested above), then you do not need to spend any firther money on security because it will not matter anymore...

       

      Cheers,

      Julius

Actions