How do I utilize SAP inspection plans and support packages?
We are using an inspection plan for QM, SAP R3 4.6 and we are trying to restrict only particular users to release the created inspection plan, how we can achieve this? Also, is there a standard methodology available to do an impact analysis of SAP support packages?
The most fulfilling part of a security job is the research required to solve a particular problem and the rewards that come from continually expanding the breadth of one's understanding of SAP's delivered functionality.
I suggest that you consider turning on a trace while releasing an inspection plan and see if SAP provides an authorization check. You may also try to determine if SAP uses Status Management -- a cross-application functionality -- in relation to inspection plans.
There are authorization objects for status management that allow you to control who can change the status for an object. This may require that status management with user statuses be configured.
Good luck and happy hunting!
This was first published in November 2006