Hi Andy,
isn't it easier to check the authorizations in Backend? Like only write for IT0008 in PA30 with Subtype XY for example?
for something like that you can use a custom authorization object like P_NNNNNCON (active in T77s0 with Transaction OOAC)
There you can list Transactions and give the authorizations only for those.
Or do I misunderstand you?
Greetings
Lars