When initiating a transaction, a system program performs a series of checks to ensure the user is authorized.
1. The program checks whether the transaction code exists in table TSTC.
2. The program checks whether the transaction code is locked by the administrator (transaction code SM01).
3. The program checks whether the user has the authority to start the transaction. Authorization object S_TCODE (transaction start) contains the authorization field TCD (transaction code). The user must have the appropriate authorization for the transaction code to be started (for example, FK01, Create Vendor).
4. The program checks whether an authorization object is assigned to the transaction code. If this is the case, the program checks whether the user has an authorization for this authorization object. The transaction code/authorization object assignment is stored in table TSTCA.
Note: An SAP program controls steps 1 through 4. It displays an automatic message to the user if an authorization attempt fails in the step.
5. The system performs authorization checks in the ABAP program using the ABAP statement AUTHORITY-CHECK.
http://searchsap.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid21_gci1240912_tax299335,00.html?bucket=ETA&topic=299335
http://sap.iteye.com/blog/156757
