Yow! I'm all for container-based security, but this is a bit much. Did you assign a unique security role for each user?
About the most number of roles I've ever needed was 8. Something like: anonymous (not logged in), user, app_administrator, sysadmin, programmer, auditor, data_loader, scoring_table_modiifier and querent.
If I really needed more distinct roles than that, I'd probably do them fine-grained and add supporting logic.
I also normally zone out my URLs. For example, all admin functionality is under /admin, so that I can do a pattern-matched rule check rather than a rule for each discrete URL.
Customer surveys are for companies who didn't pay proper attention to begin with.