RSUSR003
Critical authorizations
The password lock is not suitable to prevent the login to the system, because it does not prevent the login via single sign-on. Learn how to safely lock the system logon. The SAP system distinguishes several reasons for blocking. Therefore, sometimes there is confusion when a user is still able to log on to the system, e.g. via Single Sign-on (SSO), despite the password lock. We explain the differences between locking passwords, locking and validity of user accounts, and validity of assigned permissions in the following.
TMSADM: The user TMSADM serves the communication between SAP systems in the transport management system and is automatically created in the client 000 when they are configured. TMSADM only has the permissions to access the common transport directory, view in the change and transport management system, and the necessary RFC permissions. Safeguard measures: Change the user's passwords in each client. There is the report TMS_UPDATE_PWD_OF_TMSADM, which you have to start in the client 000. This is only possible if you have administrator privileges on all systems in the landscape and the password rules of the systems are compatible. After the report has been successfully passed, all TMSADM users of the landscape in the client 000 and their destinations have the same new password.
Transports
When assigning a new user group to a user, only the creation permission in the new user group is required. Alternatively, you can enable the check for activity 50 (Move) of the S_USER_GRP authorization object. In the USR_CUST table, set CHECK_MOVE_4_CNG_GRP to YES.
Different users in your SAP system will have different password rules, password changes, and login restrictions. The new security policy allows you to define these user-specific and client-specific. It happens again and again that there are special requirements for password rules, password changes and login restrictions for different users in your SAP system. There may be different reasons for this.
Authorizations can also be assigned via "Shortcut for SAP systems".
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
These constraints cannot be changed by the settings of the customising switch ADD_S_RFCACL in the table PRGN_CUST.
So there are several reasons why you want to define a field as an organisational level.