Without proper authorization, a person with ABAP query coding access can still use CALL TRANSACTION to enter any transaction code provided the program call by the transaction code doesn't have the following statement: AUTHORITY-CHECK OBJECT ...
This is to alert you of how ABAP query can be misused for running unauthorized transaction code.
For demonstration purposes, here is an example of how this can be done:
A. Create function area SQ02
1. Use Direct Read for a smallest size of table like T001, create functional group with only one field like T001-BUKRS, company code. This is only a dummy process in order to get a selection screen prompt when running query.
2. Goto>Code>Data, declare a line as below Parameter: TCODE(10).
3. Goto>Code>Start Of Selection, enter statement CALL TRANSACTION TCODE.
4. Save and generate.
B. Create query SQ01
1. During creating process, make sure selection field must have at least one field (company code in this example) in order to get the selection screen prompt. Whatever the field, it is not important. Then define basic list.
2. Save. Execute, key-in a company code and save variant with company code hidden (That's why this field is just dummy field).
3. key-in transaction code, for example ST05, you will be able to access this Tcode even ST05 is not authorized in your profile.