I thought it might be useful to add why I think SU10 & scripting is good for this. SU10 can be used to append or remove single roles from a user.
In the case of removing roles you only need to create your file with the following data elements:
USER ID, ROLE, FROM DATE, TO DATE
Script SU10 so it performs a single removal operation and it can then work it's way through the file only removing what is required. There is no need to do any clever stuff in SU01 to pick out specific roles. I was doing all sorts of fancy stuff until someone showed me the SU10 trick.