When we release any transports we are getting the above error, this is basically due to the fact that implificaiton of complex password parameters, to supress this we had followed the note 761637.
I had regenerated RFCs and reset TMS user, but still no use any ideas?
This is definely not the issue with Authorization as user TMSADM has right profiles.
It might be the reset for some reason did not reset all the relevant user tables in all the systems.
Try logon to the domain controller client 000 (this should be your production system), call transaction SU01 and display TMSADM, enter 'RSET' or 'RBUF' (cannot remember off-hand) into the transaction command window and hit enter. A green "reset" message should appear.
Try the same in the source of the transport (if required).
Alternately run report RSUSR405.
Does the release work after that?
we have 21 servers.i have seen the attributes of user "TMSADM" in all the systems.
for us transports are working fine.
here i am giving the attributes of user "TMSADM".
make the changes accodinglly in su01 and try transports
profile for TMSADM is "S_A.TMSADM"
no user group for this user
no user group for ahthorization check
it is a communicational user
make these changes and try .still if problem please let me know
When you reset the user TMSADM from the domain controller, it will reset (amongst other things) the user type to "SYSTEM".
This means that the user ID is not subject to password change rules (amongst other things).
It also sets somewhat limited access (role S_A.TMSADM) for the user to perform administrative SYSTEM tasks for the TMS (such as, for example, running programs to check the authority, authenticity and location of the actual user, and run the commands required to add or import the files).
Bar these admin tasks, the STMS checks the authority (and prompts for the authenticity) of the calling user (the user who is actually logged on). So SYST (or a more refined FUNC) might even be a missing authorization for the actual user (the one sitting in the chair), and the authority check is failing before the authentication prompt appears?
Hi Julius and Narayuan,
Many thanks for your reply, when I reset my TMSADM user though it says it was reset, but SU01 for TMSAMD user is intact , it did not change the user type to SYSTEM, it kept as it was before Communication data.
I did not get the user to test the release , but I am checking in the RFC connection for this RFS desitnatation and it failes with same error.
SM59=> Particular RFC connection data==> Utilites => test=> Authorization test =>
COnnection test is okay , but authorization test fails and the user is also getting the same error.
TMSADM has profile "S_A.TMSADM"
Patch Downloader wrote:Patch Downloader wrote:
> ... when I reset my TMSADM user though it says it was reset, but SU01 for TMSAMD user is intact , it did not change the user type to SYSTEM, it kept as it was before Communication data.
Then the reset is not working (which would be consistent with the note). You can administrate the connections (SM59) and user (SU01) manually now. Try to change the user type in SU01.
> I did not get the user to test the release , but I am checking in the RFC connection for this RFS desitnatation and it failes with same error.
You stated before that releasing the transport was failing, not the authorization test in SM59.
Note that default system settings for the "Connection Test" only verifies that there are no network gremlins between the servers and the RFC settings, it does not verify that the logon was successfull. The "Authorization Test" on the other hand verifies the authentication was successfull and the authorization to perform the RFC call was checked and successfull.
Most likely, the problem is caused either by the user type AND / OR the password is in fact not correct (or is arriving incorrectly - See SAP Note 1023437).
Some other suggestions:
- Check ST22 to see whether more details are available on the error (check source and target destination).
- Check whether the user doing the release is missing an authorization to use the TMS.
- Check the value of your system profile parameters auth/rfc_authority_check and rfc/reject_expired_password?
I had the same problem, User TMSADM has no RFC auths for function group SYST. and although my dialog user has RFC auths, it still failed. Tried the afroementioned troubleshooting but no success.
Checked the short dumps which showed the TMSADM user is missing the AUTHORITY_CHECK_RFC, and I don't know why.
I added the RFC role to the user TMSADM, and now the RFC authority check works fine.
> Checked the short dumps which showed the TMSADM user is missing the AUTHORITY_CHECK_RFC,
Not necessarily critical.
> and I don't know why.
> I added the RFC role to the user TMSADM, and now the RFC authority check works fine.
... might be.
What is the user type of your TMSADM?
What is in this "the RFC role"?
Well I also got the same problem when I reconfigured the TMS.
The TMSADM was assigned the profile<font color=blue> S_A.TMSADM </font>by default.
Then I found out that apart from this profile, the TMSADM needs authorization S_CTS_CONFIG contained in the profile <font color=blue> S_A.SYSTEM </font>
When I assigned this profile, the authorization check is working fine.
check this thing out and let me know.
That is not a good solution and would be very security critical. You should check SAP Notes for the user TMSADM.
Most likely it is faulty config and possibly you had entered the user into the TMSSUP destinations of the transport domain? The "authorization test" in SM59's menu is understood as an "authentication test" by many, but to test the correctness of the password, it needs to invoke an authority-check so that the user can be determined. This happens to be in function group SYST, but the user does not have to have it.
In TMSADM's case it must run on the absolute minimum authorizations which are not critical on their own. It does not need SYST.
I would make sure the domain controller is on PROD and redistribute the config and reset the user from client 000. That should normally fix and cure config which has been fiddled with. Then use the destinations from STMS and not SM59.
Edited by: Julius Bussche on Mar 15, 2010 1:24 AM
Julius Bussche wrote:
> I would make sure the domain controller is on PROD and redistribute the config and reset the user from client 000.
I disagree. Yes, PRD systems mostly use some kind of HA and therefore it is quite save to have your domain controller there - but all those who have to do without a HA, think twice - use your SolMan instead!
It's not only about the High Availability, but also the security aspects of the controller of the transport domain configuration and not everyone uses ChaRm.
Production systems have a higher security level than development system and (contrary to popular basis folklore) you are not "alone" in client 000...
This is particularly true of SolMans and all their "call back" connections... which should be classed and treated as production systems.
I normally use the authorization object S_ICF to class the connections in SolMan into their own security classifications. It makes sense.
Otherwise I wouldn´t have comment one particular answer of this thread. I hope this makes sense to you. I think you should consider this before you delete answers by random. Otherwise you have to delete 70% of answers in the whole SDN forum. Thanks and please don´t be so arrogant. Moderator role doesn´t make you better or god. Cheers.
We are experiencing the same issue of getting error when setup STMS: "TMS has no RFC authorization for function group SYST"
We have tried delete and rescreate TMS. Upgrade kernel. But non seems working at this point.
Can you let us know how you get this problem resolved.
Is it possible that someone is expecting to hit the "remote logon" button in SM59?
This should not work for SYSTEM type user's anyway, so the authorization is not needed and will write a ST22 dump in the target to tell you that someone is "clicking around".
Check whether your TMSSUP* destinations are generated properly? These use the remote login to verify the dialog caller is authorized.
maybe we can close this thread after everybody who received 'TMSADM has no RFC authorization for function group SYST' would stop testing the connection out of SM59, but from STMS->System overview.
The message only appears, if you test from SM59. I suppose this is a 'functionality' or bug in SM59.
You already have got many suggestions on your issue. I would like to add one more... playing with Login profile parameters is good but it should not be set in such a fashion that the security for login bacome a pain point. So, make it normal and workable.
Now you may need to check the following SAP Notes:
456677 User TMSADM has no RFC authorization for function
1414256 Changing TMSADM password is too complex
1061649 Upgrade to SAP NetWeaver Process Integration 7.1
412496 OPEN_DATASET_NO_AUTHORITY, object S_PATH
Please check the version dependency of the above mentioned Notes.
This is an old and interesting thread with was "bounced" by the above plaintif with a very speculative and bad advice answer. I removed them to avoid further urban legends about non-dialog users being OK with SAP_ALL type access -> nonsense.
In you case you are possibly using the optional "path hook" feature of object S_PATH. This uses a grouping concept and SAP cannot know nor define the groups for your transport directories.
Therefore there is a feature to adjust the standard profile of user TMSADM - but it should only ever have this restricted profile.
Other useful and relatively easy controls for it are:
- User type SYSTEM.
- Domain controller and TP mounts on prod system.
- QA steps and backup controller on QA system.
- Manage the passwords via SNC protection (there is a new report for this now, if you read the notes).
If you give TMSADM more access (as suggested above), then you do not need to spend any firther money on security because it will not matter anymore...
We are having issues with our transport system and a Basis consultant is requesting I give S_CTS_TR_ALL and S_CTS_ADMIN authorizations to the TMSADM user in all systems / clients. However, based on everything I've read previously in this thread as well as others, I am against doing so. I would think these should only be given to the user who is actually trying to setup the TMS, and not to the TMSADM user - correct? Currently, TMSADM user only has the S_A.TMSADM profile assigned to it. Appreciate any comments.
There is a special case for object S_PATH to be added to the default profile of TMSADM, but this is optional and not default.
I am not aware of any S_CTS_ADMI or other additional profiles needed. Sounds like guess-work to me. Basis solution is sometimes a case of selective memory --> give things SAP_ALL just to see whether it works in principle, and if it does then do not change anything afterwards...