Hi,
There are a few options, a couple of them are
1. Find an appropriate enhancement point in SU3 to add some additional display logic that will will allow you to toggle update / display based on an authorisation value.
2. use SHD0 to create a variant that has only display, assign that to to a custom tcode and get the display-only users to use that.
Adding auth objects to roles won't control something (like SU3) that hasn't been coded with the checks in place to start with.