I hava a user that was able to execute transaction SU01 even though he has no authorization to it, at least not directly, I do not know how he did it, this are the entries from sm20:
01.06.2011 16:10:36 UserX userxlaptop SU01 SAPLSMTR_NAVIGATION Start of transaction SU01 failed (Reason=6)
01.06.2011 16:10:42 UserX userxlaptop SE37 SAPLSMTR_NAVIGATION Transaction SE37 Started
01.06.2011 16:10:42 UserX userxlaptop SE37 RSFUNCTIONBUILDER Report RSFUNCTIONBUILDER Started
01.06.2011 16:10:47 UserX userxlaptop SE37 RS_TESTFRAME_CALL Report RS_TESTFRAME_CALL Started
01.06.2011 16:10:53 UserX userxlaptop SU01 RS_TESTFRAME_CALL Transaction SU01 Started
I executed program RS_TESTFRAME_CALL but was not able to go to SU01 from there, does anybody know how was the access to SU01 possible?
Report RS_TESTFRAME_CALL is used to test a function module. So if you go to SE37 and you want to test a function module it will call this report. So that user was able to use function module to launch transaction SU01 without authorization check. You can't see from log which function was used but I guess he used FM SUSR_USER_MAINT_WITH_DIALOG that is used in SU01.
There are many other ways to break into initial txn screen. Developer play these magic and some times they assign themselves profile (not to mention the name). However for these if your developer does not have access to objects like S_USER* so they won't be able to do any further activity there.
But if he is too smart then may be there are other ways to break that as well (like change RC in runtime). That may have solution in terms of authorization restriction or some SNOTE implementation (lots of bug). And specifically in old systems.
SUSR_USER_MAINT_WITH_DIALOG can be used by the user in FUNCN to get to SU01 screen. As suggested by others unless he has access to S_USER* objects in the profile it would be in change mode (Unless the developer resorts to debug/replace) in systems ... but i think thats how he reached to the tcode..