The s_tcode object controls whether or not you can *start* the transaction. What you can do within any given transaction is typically controlled by by other authorisation objects.
To take your example, having VA01 in an s_tcode authorisation means you can start VA01. There are separate authorisation objects that control which sales areas and document types you can use, and many others. It is perfectly possible to have access to VA01 via an s_tcode authorisation but be unable to actually post anything.
To see what other objects are relevant for a given transaction, use SU24.