From a transport point of view, the remote architecture of Change Request Management consists of one central SAP Solution Manager system, which is where Change Request Management runs and where all transports are controlled, and satellite systems where transport requests are created, released, and imported. In all these satellite systems, the local users need to have special authorizations within the Change and Transport System (CTS) according to their particular tasks.
· Real Users
For users in the satellite systems that have the system role types Development, Test or even Production, assign the following roles:
¡ SAP_CHANGEMAN_DEVELOPER
Contains the authorization profile S_TMW_DEVELO. This profile contains CTS authorizations for developers: No authorization to create transport requests, and no authorization to release transport requests but to create and release tasks.
¡ SAP_CHANGEMAN_OPERATOR
Contains the authorization profile S_TMW_OPERA. This profile contains CTS authorizations for operators: All transport authorizations; no configuration authorizations
¡ SAP_CHANGEMAN_ADMIN
Contains the authorization profile S_TMW_ADMIN. This profile contains CTS authorizations for administrators: All authorizations in the CTS (including configuration)
Note that the roles SAP_CHANGEMAN_PROJECTASSISTANT and SAP_CHANGEMAN_PROJECTLEAD are obsolete; do not assign them to users.
For SAP systems based on SAP Web Application Server 6.10 and lower, the profiles listed above are available, but not the roles. Therefore, you have to explicitly assign the authorization profiles to the relevant users.
· Trusted System Users
For all client system actions in Change Request Management, users are required to log on by using trusted systems. For this purpose, you must also assign trusted system authorizations to the relevant users. In particular, you have to assign the authorization object S_RFCACL. For more information, see SAP Solution Manager: Configuration Guide ® Technical Requirements ® Automatic Generation of Trusted System RFC Destinations.
· Background User
This user is required for communication between the SAP Solution Manager system landscape (transaction SMSY) and all systems that have the role type source system. For more information, see 
Generate/Change RFC Connections. In these logical systems, a communication (background) user is generated for executing tasks in the background (user SOLTMW
¡ S_TMW_CREATE for creating and releasing transport requests in development systems as well as for setting the project status switch for creating transport requests
¡ S_TMW_IMPORT for importing transport requests into test systems (empty)
The most important task of the background user is to create and release transport requests and tasks remotely from Change Request Management. Requests that are created in this way are known to Change Request Management, which means that Change Request Management can control the distribution of these requests within the landscape.
Requests that are created, released, or imported locally cannot be identified by Change Request Management in conjunction with a change request and are therefore not part of the Change Request Management transport control and distribution process. For this reason, we recommend that no users (apart from administrators) have authorization to create transport requests or tasks in Change Request Management-controlled clients.
· Import Authorization Checks
Change Request Management uses the import functions of the Transport Management System (TMS). The TMS remote infrastructure is based on RFC connections that point solely to the 000 client of a target system. For this reason, you must make sure that Operators and Administrators have users both in the client into which changes are imported, and in the 000 client of these systems.
· Automatic Imports
In test systems, it is sometimes necessary that imports are performed automatically. If you want developers within the Change Request Management scenario to start imports into a test system automatically, you must add the profile S_TMW_IMPORT to the user TMSADM in client 000 of the test system. Since S_TMW_IMPORT is delivered empty, you have to assign it the authorizations S_CTS_IMPALL and S_CTS_IMPSGL, which are also contained in the authorization object S_CTS_ADMI.
It is now possible to start an import into this system from every satellite system within your domain by using the CPIC user TMSADM; therefore, do not use this method in production systems or in any other security-critical systems.
The system where you want to start the import automatically must share the same transport directory as its preceding system. If the transport directories were different, the user who starts the import would need “addtobuffer” authorizations for the buffer adjustment, which would present a security risk not only for the system concerned, but also for the whole landscape (including the production system).
No comments:
Post a Comment