I faintly suspect there are a couple of misunderstandings and not enough information provided here...
Some tips to reformulate your question:
Calling RFC functions in external programs from or to SAP has nothing to do with application authorizations. It has to do with gateway ACLs.
Application RFC functions in ABAP systems will check start authorization for the group and then the individual function if the group fails. One pass on the group passes all the other sub-functions of the group truncated at about 40 characters (depending on your release).
Application objects are also checked within the function modules.
The system trace is actually an application server authorization trace, so the calls might be coming in on a different server.
Your question is not well formulated, so perhaps it is better for someone from the SAP system side to take a look into it instead of you? Integrating with SAP when you dont know SAP is painful and error prone.
Cheers,
Julius