Hi Enrico,
The authorizations are not actually complementing eachother in the way you think they do. When executing a program through SE38, SAP will perform following checks:
1) S_DEVELOP with ACTVT 16 ; OBJTYPE PROG and OBJNAME = the name of the program you are trying to execute. The check with ACTVT 16 will not check for the program group.
2) S_DEVELOP with ACTVT 03 and all other fields according to the selected program, including the program group (if any)
3) In case there's a program group, S_PROGRAM will also be checked.
The "additional" check for ACTVT 16 is documented in note "1012066 - Security note: Authorization check when executing reports"
While it is perfectly possible to allow users to display all programs and only execute specific programs through SE38 by using the OBJNAME field with ACTVT 16, this is not recommended. Like Colleen said, it's best practice to create a tcode for every program you want to call on a production environment.
Kind regards,
Brent