Sometimes I come across roles within the SAP system that are setup and assigned as a display role. However, when further analyzing the roles it seems that the roles are not really display roles (any more). The first focus while setting up display roles is probably removing the non display ACTVT values for the corresponding authorization objects. The list of ACTVT values and meaning of the values can be found in table TACT.
No * value and no non-display values should be given to the ACTVT value in a display. This seems logical, but sometimes only the 01 and 02 values are removed and the other critical (*) values are forgotten.
ACTVT is used by many authorizations object. The list of these objects can be found in table TACTZ.
ACTVT however is not the only authorization field that should be changed to display values, there are others as well like PPFCODE, AUTHC in HR and JOBACTION in Basis. Make sure the values that are assigned to the object fields are really only display. And while testing the role, make sure you perform both positive and negative testing.
And last, if you assign multiple roles to one user, make sure the combination of the display role and non display roles gives not broad access rights.
(C) Meta Hoetjes 2014
CSI Authorization Auditor and CSI Role Build and Manage are registered trademarks by CSI tools bvba