Basically, I don't think ABAP developers are able to determine the AUTHORITY-CHECKS that needs to be build in. This is where the Security manager comes in.
Based on the information:
- who will be working with the program (departments/ function(s)
- what sensitive data is in the program
You can decide the Authority checks that needs to be implemented.
For example if the program will show you information about material info records, I would add the authorization checks that are included with the transaction MM03.
I know that the example is very simple and in real live it can be hard to decide and the security manager probably does not have detailed authorization object knowledge, but together with the authorization/role maintainer they will hopefuly be able to find a solution.