This is again about MSCRM 3.0 and not sure that would be the same with higher versions. Without further ado, here it is:
A script corresponds to the scenario/constraints I currently face, so in your case you might need to tweak it.
PrivilegeDepthMask of 16 and 128 is x*2^4, what happens (as I believe) when privilege is inherited from the organization level role to a business unit (I might be wrong, better verify yourself :). In my case inherited privileges are always the same, that’s why that rp.PrivilegeDepthMask NOT IN (16, 128) at the end. I also filter by entity name in a hacky way, you might want to join entities table/view in your case.
This is it.
[Update: 13-Oct-2011, script updated with parent to child scenarios]