asterisk was my mistake (it's late here)
SU56... if you work in security I highly recommend you familiarise yourself with that transaction. Su56 is after all the User Buffer for authorisations. If it's not sitting in there then they user will not have access. This typically then leads back to PFUD/user compare.
If you work through your basic 101 security and analyse to rule out your role build, profile regeneration and user assignment then you need to start investigate the transaction/program side.