Hi,
its surprising that you are using SAP_ALL and then putting S_TCODE range, as Julius says it's silly because it will overwrite Tcode range and give access to all tcodes.
Now technically this to work - you have to include all authorization objects associated from tcode ranges ( which is going to be hell lot of work ) , its better to create role with tcodes that consultant required and not what he does not want.
Regards,
Satyajit