You can bypass client-side restrictions on user account fields, allowing unauthorized modification of the user name (logon name) after account creation. 

SAS^® Fraud Management web applications correctly prevent you from editing the username field. However, by intercepting and modifying the HTTP request (for example, using a proxy tool or directly calling saveUser.action), you can alter and submit the user name parameter to the back-end. The server accepts the modified value, indicating that server-side validation is not enforced for this field. As a result, you can change an existing user logon name outside of the intended application controls.

There is no workaround for this issue.