I choose creating new role from sap_all. Because of there aren't more time to change all roles (+1000). And no more people to test new roles. Also if you can not change some tcodes authorizations you can exclude them. And you are right you add some new objects, but only you know that users don't. :-)
Regards
O.K.