If you have a super user role in your production system, it’s quite possible that use of the SUPRN_INS_OR_DEL_PROFILE or BAPI_USER_PROFILES_ASSIGN function modules could be used from SE37 to give SAP_ALL and then proceed to get around other restrictions.
Since SUIM relies upon S_DEVELOP and activity 16, you can’t just remove it unless you leave the admins to find their own way to the underlying transactions.
Instead, you could lock down the S_DEVELOP authorisation object by removing access to the specific function group (FUGR).
When editing the authorisations of a role, set one of the S_DEVELOP authorisation objects to exclude FUGR (and DEBUG): Activity = 03 & 16 (Display & Execute) Package = *
Object Type = 4 to DE
DEVC to FU
FUGS to Z
Z to $TM
Then add another S_DEVELOP authorisation object “MANUALLY”.
Set this to exclude the SUPR, SUPRN and SU_USER function groups:
Activity = 03 & 16 (Display & Execute)
Package = *
Object Name = 0 to SUNI
SURI to SURI-SU_UPGTOOLS SU_USER_GRP_SURFACE to Z*