I added a new authorization object to a transaction in SU24. Why does the new restriction not work?
The majority of checks for authorization in SAP are performed in the ABAP code with the AUTHORITY-CHECK ABAP statement.
If there is no AUTHORITY-CHECK in place for the authorization object (and subsequent logic for the response), then no check will take place.
SU24 allows us to effectively deactivate some authorization checks which have been coded, what it does not let us do is add in arbitary checks without the appropriate code.
User-Exits, BADI's, Enhancement Points are all potential ways of including additional checks and validation without modifying standard SAP code.