Anja,
Yes you do have to manage the users separately sometimes in your differing systems, but if the only difference is the RFC connectivity then you only need to create a single role with that required attribute.
Remember role security is cumulative and a composite role is only a container. You could just as easily assign the 20 single roles in that composite and get the same affect to a user...you do not have to create a composite role for every single role you maintain.
From a realistic prospective, your main end user population will only require access to your QAS environment for testing and validation purposes and that population should be small since only a few designated users will be doing validation and testing in QAS. The DEV environment is just that, for development. The user base in there should be even smaller then QAS as very few "end users" will be working on development projects in there...this is were your support personnel will be mainly working.
If you find yourself loading all of your PRD users into QAS and DEV then I would really question what the purpose is for.
I would also say that since these systems will most likely not contain any sensitive data then you may only need one role that contains S_RFCACL with both the QAS and DEV systems identified so that you know those users when assigned this single role will get that access.
does this make sense?