Ali,

That's a good question, but a tough one.

While both applications can do most of what the other can do, it's a matter of specialization in my opinion.

Access Control is all about managing and controlling access to SAP system roles and has the ability to report on role conflicts for compliance and reporting purposes. (I'm sure I'm leaving a lot out, but maybe a GRC / AC expert can fill in more details)

SAP IDM is about managing the user life cycle with regards to landscape and enterprise systems. It will handle the creation, update and ultimately the removal (or de-provisioning) of users in SAP ABAP, SAP JAVA, LDAP, JDBC, and API based applications.  It will also do Role Management through a web based UI (User management is web based as well). and as of the latest Service pack for SAP IDM 7.2, it will do attestation (limited certification) as well. It is a definite upgrade to CUA as it will work with a greater variety of systems, include workflows and approvals.

GRC will do some provisioning, but it's somewhat limited, as is IDM's compliance abilities.

The applications are designed to work together, however it does not have a great track record and the integration is typically heavily modified to work as desired.

If you have specific questions, feel free to post / DM.  Obviously I am more knowledgeable about IDM, but I'll be happy to help you in any way possible.

Regards,

Matt