I have a user that is able to login to LMS via TACACS/SecurID without a CW local login account, he gets guest privs, is this a bug, shouldn't he be unable to log in without a local account set up?
Miheg is absolutely right. This has been the case since we introduced external login modules. Every user with a valid account in the external database will be allowed Help Desk access to LMS unless they have a local account in LMS granting them more access.
I used to have a patch for LMS 2.2 which worked around this. However, in LMS 2.5+ you have the option of using ACS integration. If you do full ACS integration, you can effectively prevent people with ACS accounts from having any access in LMS.