I think it is better to find it correctly by running the trace for that user using ST01 Tcode.
It will give you the exact authorization object as well as value that needs to be changed.
Then revoke the access which is available in that role assigned to that user.