Hi Gerhard - you are not on your own 😉

Yes definitely look at grouping, this will have the effect of the privileges that are for the same repository being sent as one request to AC. Unfortunately there is not a cross-repository solution that I am aware of as standard.

I have yet to investigate how different this is in 7.2, but my understanding is that there is still not a common business role concept between AC and IdM 7.2, irrespective of whether you have GRC AC10 or 5.3. I do know that this has been added to the IdM Product Team's development list as there is more and more interest in this area.

You might find Kai's blog useful http://scn.sap.com/community/netweaver-idm/blog/2011/04/12/how-the-grc-provisioning-framework-works   and (apologies if you know this already 😉 the IdM GRC configuration guide covers privilege grouping fairly well, and of course the IdM help on repository privilege grouping is handy too .

When we tried to get grouping rule 3 to work it did not, although the documentation implies it would perform cross system as you are aiming for. I was on an IdM 7.1 sp5 system though so this may have been resolved in sp6/7.

Hope this helps,

cheers,

Andy

(Just noticed you have clearly already read Kai's blog looking at your comment there but am leaving the link up for anyone else who hasn't and visits this thread!)

Message was edited by: Andy Minshull