Hi,
It's the basic task of a SAP BASIS Admin to provide authorization to end users and core team users in an organisation. For this we do create single, master, derived, composite roles and maintain various authorization objects and class corresponding to organisational values. I am herewith gathering following tips :-
1. Use SU24 : Since we know that a SAP transaction contains more number of authorization objects and we can't get the missing object in single SU53 screen. Due to this reason, most of times some business users gets frustrated in sending numerous SU53 screens. This also happens due to not performing complete integrated testing of roles in QAS scenario. Anyway, to get rid of this scenario, we can check all relevant objects of an T-Code / report in SU24 and them in corresponding roles with proper authorization field values.
2. Google Search 
: Sometime you might have noticed that some authorization field doesn't contain any pre-stored value because of which we can't get feasible input by pressing F4 in that text field. In that case, you can do google search by typing authorization class and object name , where you will get direct link to SAP HELP . Here you can find all feasible combinations of inputs . For example, for TRIP T-Code, ""New Status" When Saving Trip" field under "P_TRAVL" object doesn't contain any pre-stored values for which you can serach as follows :-
3. Use ST05 trace report : Apart from above steps sometime it is still required to check the corresponding object of any action with the help of ST05 trace report. In thi sway you can get the exact authorisation object behind any operation triggered through variuos frontend actions.
4. Addition of profiles into single role: Well.. this is mostly required for testing purpose where suppose an user is having number of roles and multiple of roles are having common transactions and obviously corresponding objects with different values in different roles. So, in this case you can create a single role and add profiles of those roles into it and remove those roles from that user. Now it becomes easier for you to check relevant objects from where user is exactly getting access from a dingle role. Following screen shot shows the button through which you can add profiles to a roles :-
In addition to this you can add MERGE button to merge various authorisation fields under same objects.
I hope above steps would help SCN family ... I welcome yours additional suggestions to add some more tips.
Regards,
Nilutpal.