Using the function module RS_HDSYS_CALL_TC_VARIANT, you can call a transaction to which the user doesn't have access (in auth object S_TCODE) from within a custom program. This sounds like a bad thing at first, but it is actually a good thing. How it works is that you set up a transaction variant using transaction SHD0, in which you can make any field on the screen mandatory, display-only or hidden. This means that you can limit what the user can do. You then control the user's access to the functionality of the transaction by not giving them the authorisation to run the transaction directly. They can only run it through your custom program which calls the transaction variant. For more detail on the function module see OSS note 204193.
Have a look to the function module RH_AUTHORITY_CHECK_OFF and HR_READ_INFOTYPE_AUTHC_DISABLE.