Dear Fred-san
Thank you very much for your support on this. 
But, may I double check about what you mentioned above?
So, what you were mentioning was that if some user executes the query with
the function module (RFC_READ_TABLE), under the following conditions, he can access to
the HR data even when he does not have the authorizations for HR transactions?
<Conditions>
1. the user has the authorization for HR database tables themselves
2. RFC_READ_TABLE is called to retrieve the data from HR database
<example>
Data: LF_HR_TABLE like DD02L-TABNAME value 'PA0000'.
CALL FUNCTION 'RFC_READ_TABLE'
EXPORTING
query_table = LF_HR_TABLE
TABLES
OPTIONS =
fields =
data = .
But then, as long as we call this function module for a non-critical tables such as
VBAP (sales order) or EKKO (purchase order) within our query, it wouldn't seem to be
so security risk to use RFC_READ_TABLE...
Besides, each query (infoset query) has got the concept of user groups, which limits
the access to the queries within the user group.
※If someone does not belong to the user group, he cannot execute the queries within that
user group, etc
So, my feeling is that even infoset queries does have authorization concept...
Would you give me your thought on this?
I also thank you for your information for SCU0.
That is an interesting transaction
Kind regards,
Takashi