Ideally, you'd move the users into different groups in your LDAP, or map the users' group to a different role in your LDAP mapping inside of splunk.
Failing that, you can of course modify users via REST - after all, any click you do in the UI translates to a REST call under the hood. Check out http://docs.splunk.com/Documentation/Splunk/6.6.2/RESTREF/RESTaccess#authentication.2Fusers - the POST takes a roles parameter to update role assignment.
I'd edit the configuration file from the CLI. By the time you scripted a solution via the REST API, you could have hand-typed the changes (of course you should be using search-and-replace tools, not hand editing everything)