Hi Colin
You can still define your function but you do need to clarify what the checks should be. At the moment, your function defintion would be the S_TCODE for the Z transaction.
However, if you just define it like that and there are additional checks then you increase the level of false positives. If there isn't then you are right that the code still needs to be hardened
As you have mentioned a Z authority check none of us can comment on the security. Did you run a security trace on the Z transaction with the BAPI to see what is checked? How has the developer coded the authority check.
I would push back if there is insufficient checks from a security point of view. But if the Z transaction activity forms part of a risk and is available to end users you should capture it and then start the remeidation/mitigation processes.
Regards
Colleen