Closing the 'Called Transactions' Loophole

Let's say a User executes ME23N to display Purchase Orders. If he now wants to display a Vendor (Purchasing), he can. You may think that this is because he has access to MK03. But, even if this User Master does not have access to MK03, he would still be able to display Vendors.

The reason - MK03 is a 'Called Transaction' for MM23N.

So, what's a Called Transaction?
Well within ABAP programs there are these statements CALL TRANSACTION XXXX
Whenever SAP encounters this statements, it checks for this Table - TCDCOUPLES.
This table has the mapping of Calling Tcode and Called Tcode. In our example, ME23N is the Calling Tcode and MK03 is the Called Tcode

The column to focus here is the Check ID. If the value for that Field is Blank or 'N', then the Calling Tcode can access the Called Tcode without needing any Authorization Check.

So, now you want to restrict access to MK03 from ME23N.
We use Tcode SE97 to change the value of Field Check ID

Change the Check ID to YES and Save.

Now, only if the user has access to MK03, can he/she display the Vendor from ME23N.

You can do a quick review of the sensitive 'Called Transactions' and make sure that there isn't any unwanted access leaks.