Yes, that is safest, to physically do the import on the test server, to minimize mistakes.
But if you have tnsnames.ora configured, you can do the export and import from test server using a remote alias
# Note the export uses @PROD but the import uses a local connection (ORACLE_SID in environment)
exp fred/password@PROD file=prod.dmp
imp system/admin fromuser=fred touser=fred file=prod.dmp
Regarding roles, there is not an option specific for roles, just do a schema level export, like I showed above, and there will be no privileges/roles imported.