azonic evolution wrote:
However, running the program directly through SE38, will have no protection (authorization) on how is it being executed?
if by protection you mean check for authorization object S_TCODE then that's correct. The program may have some additional authorization checks and these will get checked. These authorization checks are built into program logic by developers.
For example transaction code ME59N. In SE91 you can see that it uses report RM06BB30. You can see that there is another authorization object M_BEST_EKO assigned to this transaction. So when a user executes ME59N ABAP AS checks if a user has authorization to execute this transaction code (object S_TCODE) and it also checks additional object M_BEST_EKO. If one of these two authorization checks fails ABAP AS will refuse to execute transaction. If a user has authorization to execute RM06BB30 directly in SE38/SA38 then none of these checks will be performed. The checks that are programmed in RM06BB30 will get executed in both cases. So a user can avoid authorization checks for S_TCODE if they have sufficient authorization to execute report directly in SE38/SA38 but it does not mean that other authorization checks will be ignored.
Cheers