Dear all,
There were some complaints about this thread as Somnath has not done enough own research and expects others to do it. OK, normally this will be moderated, but this special case is very new and does have a discussion value for others about how SAP in future introduces optional authority-checks or activates recommended checks without intruding on the existing authorization conce^pt directly.
There is a big difference between S_PROGRAM and S_PROGNAM.
The real big difference is not the distinction between program groups (if maintained, which is a very blunt concept) but rather program names (which is always known).
To activate this concept you need to actively enable it for the application, but that only works for applications which support it.
This is controlled via the SACF ( SAP Authorization Control Framework) (for optional activation of checks).
Basically, if an authorization control is "retro fitted", then it is only checked in the coding if the customer actively enables it and the scenario supports it.
This is primarily used by the SAP Security Notes mechanism if these security notes don't eliminate functionality but rather introduce missing authority-checks to control the use of the functionality.
You can control this in transaction SACF as of 7.40 (backporting to earlier releases is difficult to implement IMO, so rather upgrade if you want to use it).
Upgrade to EhP7 works quite smoothly at the moment with the latest kernels to accompany it.
Cheers,
Julius