It's a huge project.
In SAP, tcodes belong to roles, and roles are assigned to users.
This means one user may have many roles, one role may be assigned to many users, one tcode may be in many roles, one tcode in one role may have uncertain organization units and actions.
There's no direct relationship between user and tcode.
To remove specific tcodes for users in SAP, we need the following actios
1.List and save all the users with SAP SID you need to modify.
2.List and save all the users with specific tcodes, this is the start and also the end point.
3.List and save all the roles with the specific tcodes and assigned to the users listed in step1 order by user.
4.List and save all users assigned to the upon roles.
//After provide the user list, step 2 and step3 can be done with one SQL.
ps. The following steps are the most simple and direct method, but will brings many new roles.
5.Create one role for each tcode under one company/organization unit, will generate many new roles.
6.Remove the specific tcodes in the old roles assigned to the users in step 4.
7.Assign new roles to the effected users in step 6 with the same removed tcodes.
8.Repeat 1~3, double check.