Really depends on how complicated (i.e. how granular) your security model is!
If you only grant access rights based on GROUPS (and then users inherit the rights via group membership) then this is perhaps not a very complicated thing to do ; inactivate groups and replace them with "read only" versions of the group ; can do a lot of the low level work for this using XOG.
To an extent access rights inherited through OBS membership could also be relatively simple - similar problem to GROUPS (but conceivably more complications) ; but again could be using XOG to do a lot of the hard work.
However if you have a lot of access rights given out at USER (i.e. INSTANCE to INSTANCE) level ; then you have potentially a lot of data to look at ; I think some developed SQL statements would help you work out whats you need to do.
(there are some old discussions on here about how to pull access right information via SQL - its complicated but predictable - for example Clarity rights Query )
I think you have a complicated task whatever though - good luck.