Need to review ACFRPTRV to find a specific user and their resource violations buried within over 500,000 pages of report output.
What is best method?

Release : 16.0

Best way to run report when there are multi million records and particular rule type violations need review is to first run ACFRPTPP that will unload all the SMF records that relate to just the specified "logonid".

//STEP1  EXEC  PGM=ACFRPTPP,REGION=0M                                 
//*RECMAN1  DD DSN=IFASMF.SYS1.STREAM,DISP=SHR,SUBSYS=(LOGR,IFASEXIT) 
//RECMAN1  DD DSN=SYS1.MAN1,DISP=SHR                                  
//RECMAN2  DD DSN=SYS1.MAN2,DISP=SHR   
//RECMAN3  DD DSN=SYS1.MAN3,DISP=SHR                                 
//SMFVR       DD DSN=smfvr.output.dataset.DISP=SHR
//SMFAR   DD DUMMY 
//SMFCR   DD DUMMY 
//SMFDA   DD DUMMY 
//SMFDR1  DD DUMMY 
//SMFDR2  DD DUMMY 
//SMFDR3  DD DUMMY 
//SMFDR4  DD DUMMY 
//SMFER   DD DUMMY 
//SMFFLT  DD DUMMY 
//SMFJR   DD DUMMY 
//SMFNR   DD DUMMY 
//SMFOR   DD DUMMY 
//SMFPR   DD DUMMY 
//SMFSG   DD DUMMY 
//SMFSR   DD DUMMY 
//SMFTR   DD DUMMY 
 //SMFZR   DD DUMMY 
//SYSPRINT   DD  SYSOUT=*                                             
//SYSIN   DD  *                
MASK(logonid)     
/*
//STEP1  EXEC  PGM=ACFRPTRV,REGION=0M                                 
//RECMAN1  DD DSN=Smfvr.output.dataset,DISP=SHR                                  
//SYSPRINT   DD  SYSOUT=*                                             
//SYSIN   DD  *                                                       
 DETAIL
 TYPE(xxx) 
ID(yyyyyy-)             

ACFRPTRV can then be used to identify the criteria for the report - only records related to the user will be presented.
TYPE(xxx) is the optional resource type code and ID is an optional mask of the resource names within that resource type.        

Details of ACFRPTRV can be found at this link..

https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/reporting/acfrptrv-resource-event-log.html