-- This query will create a syntax for creating a role <CUSTOMER>_SYSTEM_ROLE which will add all privileges which are grantable by SYSTEM
-- For this reason this query must be executed by SYSTEM
-- There are also privileges which are not grantable by SYSTEM
-- This should be added with:
-- CALL GRANT_PRIVILEGE_ON_ACTIVATED_CONTENT ('<object_privilege>','<object>''<user>'/'<role>')
-- call GRANT_SCHEMA_PRIVILEGE_ON_ACTIVATED_CONTENT('<object_privilege>','<SCHEMA>','<role/user>')
-- But this isn't working
-- For this reason this query will only create a role with privileges which are grantable by user SYSTEM
-- To avoid a warning in the EWA the "DATA ADMIN" System privilege is not added
--
--
-- Delete role <CUSTOMER>_SYSTEM_ROLE if it exists
select 'DROP ROLE <CUSTOMER>_SYSTEM_ROLE;' AS A, '' AS B,'' AS C, '' AS D, '' AS E,'' AS F, '' AS G 
from dummy 
UNION ALL
-- Create role <CUSTOMER>_SYSTEM_ROLE
select 'CREATE ROLE <CUSTOMER>_SYSTEM_ROLE;' AS A, '' AS B,'' AS C, '' AS D, '' AS E,'' AS F, '' AS G 
from dummy 
UNION ALL
-- Add roles which are grantyable by SYSTEM
select 'GRANT ' AS A, ROLE_NAME AS B, ' TO <CUSTOMER>_SYSTEM_ROLE WITH ADMIN OPTION;' AS C, '' AS D, '' AS E, '' AS F, '' AS G 
from GRANTED_ROLES where grantee='SYSTEM' and role_name <> 'PUBLIC' and role_name not like '<CUSTOMER>_%'
UNION ALL
-- Including a role to read the ABAP SCHEMA
select 'GRANT ABAP_SYS_REPO TO <CUSTOMER>_SYSTEM_ROLE WITH ADMIN OPTION;' AS A, '' AS B,'' AS C, '' AS D, '' AS E,'' AS F, '' AS G 
from dummy 
UNION ALL
-- Add System Privileges which are grantable by SYSTEM
SELECT 'GRANT ' AS A ,PRIVILEGE AS B, ' TO <CUSTOMER>_SYSTEM_ROLE WITH ADMIN OPTION;' AS C, '' AS D, '' AS E, '' AS F, '' AS G 
from GRANTED_PRIVILEGES where PRIVILEGE <> 'DATA ADMIN' and PRIVILEGE not like '%ENCRYPTION KEYPAIR' and 
grantee = 'SYSTEM' and object_type='SYSTEMPRIVILEGE' and IS_GRANTABLE= 'TRUE' 
UNION ALL
-- Add Object privileges  which are grantable by SYSTEM
SELECT 'GRANT ' AS A, PRIVILEGE AS B, ' ON "' AS C, SCHEMA_NAME AS D, '"."' AS E, OBJECT_NAME AS F, '" TO <CUSTOMER>_SYSTEM_ROLE WITH GRANT OPTION;' AS G 
from GRANTED_PRIVILEGES where grantee = 'SYSTEM' and object_type <> 'SYSTEMPRIVILEGE' and IS_GRANTABLE= 'TRUE' 
and OBJECT_NAME is not null and SCHEMA_NAME is not null
UNION ALL
-- Add Schema privileges which are grantable by SYSTEM
SELECT 'GRANT ' AS A, PRIVILEGE AS B, ' ON SCHEMA "' AS C, SCHEMA_NAME AS D, '" TO <CUSTOMER>_SYSTEM_ROLE  WITH GRANT OPTION;' AS E, '' AS F, '' AS G 
from GRANTED_PRIVILEGES where grantee = 'SYSTEM' and object_type <> 'SYSTEMPRIVILEGE' and IS_GRANTABLE= 'TRUE'
and OBJECT_NAME is null and SCHEMA_NAME is not null
UNION ALL
-- Add package privilege which are grantable by SYSTEM
select 'GRANT ' AS A, PRIVILEGE AS B, ' ON "' AS C, OBJECT_NAME AS D, '" TO <CUSTOMER>_SYSTEM_ROLE WITH GRANT OPTION;' AS E, '' AS F, '' AS G  
from GRANTED_PRIVILEGES where grantee='SYSTEM' and object_type='REPO' and IS_GRANTABLE= 'TRUE'
-- Add Roles which are NOT grantable by SYSTEM
-- Not defined, global check user SYSTEM has none
-- Add System Privileges which are NOT grantable by SYSTEM
-- Not defined, global check user SYSTEM has none
-- Add Analytic privilege
-- Not defined, global check user SYSTEM has none
-- Add Application privilege
-- Not defined, global check user SYSTEM has none
-- Add role <CUSTOMER>_SYSTEM_ROLE to <CUSTOMER>_ADMINISTRATOR_ROLE
UNION ALL
select 'GRANT <CUSTOMER>_SYSTEM_ROLE to <CUSTOMER>_ADMINISTRATOR_ROLE  WITH ADMIN OPTION;' AS A, '' AS B,'' AS C, '' AS D, '' AS E,'' AS F, '' AS G 
from dummy 
-- Paste the output into a unixfile and execute the next vi commands:
-- Delete the header
-- 1,$s/;//g
-- 1,$s/$/;/

Why you are not just checking which roles/privileges are assigned to the SYSTEM user? You have all you wanna know in your system.

But in general you should not create so powerful users for dedicated tasks. You should create specific users with restricted rights for the tasks they need to do.