Hello
Is it advisable to upgrade the Production now and perform the SU25 in DEV later and promote the roles to Production after proper testing in QA?
or is it something we have to do immediately after the upgrade before releasing it to the end users?
Not a good practice. I would get this first adapted before starting the upgrade on the next system.
You may read these SAP notes which provides the recommendations.
1539556 - FAQ Administration of authorization default values
727536 - FAQ| Using customer-specific organizational levels in PFCG
Regards
RB