Indeed, very valuable gems have been added on the kernel side of the user buffer and AUTHORITY-CHECK statement over the past year.
The most important of these is that if certain conditions are met (see methodology and applications used in the SAP Note 1682316) then you can analyze which authorization assigned was responsible for the successful check. This was needed for RFC users as you cannot realistically test them.
Trick is to give or leave them with SAP_ALL as the LAST authorization they have and then just simulate that the previous one(s) is always sufficient, but nothing will ever really fail.
Actually you can do the same for dialog users as well. Let them switch between simulations in production until they feel comfortable means you dont necessarily have to test at all anymore... just simulate for long enough and collect data on which authorization set sy-subrc to 0.
The redesigns of the roles are completely error free and no one notices anything of the fact that there was a big change. Works like a charm... :-)
Cheers,
Julius