If you have traced correctly (i.e. considered multiple app servers) and there is no failed checked, is it definitely security?
My SU24 recommendation was to compare recommended values between the two transactions so see if the user might be missing some access.