Locally you can use the authorizations described in SAP note 587410 to restrict the ability to single test function modules. That is effectively the same as having SAP_ALL so you must be very restrictive with it.
Remotely you can secure BAPIs via restrictions to authorization object S_RFC and the corresponding application authorizations needed (this is one of my specialities actually - see SAP Note 1682316). As of release 7.41 on recent SP levels and kernels, you can additionally use transaction UCONCOCKPIT to deactivate the remote enabled availability of RFC function modules if they are not meant to be called from the outside.
You have definitely opened a can of worms here for yourself! Good luck :-)
Cheers,
Julius