Introduced in IDM 3.7, resource model fulfill some requirements that roles doesn’t, but brings no SoD, keeping roles level 10 as application permission representation. But, as resource “should be” associated with entitlements “not” roles, mainly all permissions should be duplicated, so we have roles  resources  entitlements associations. With 800 applications integrated or represented in IDM, million of roles and users associates with close to 1800 level 10 roles each, adding more 1800 resources to RRSD process seen to be unnecessary work.
IDM 4.7 graphical interface brings with possibility to associate entitlements directly to roles, leaving resource to other kind of stuff, like cellular, badge, and so on. Ok, some difficulties will happen, like PCRS and IG integration will not work.
As develop a custom SoD based on resources is out of scope, what architecture is the best way to implement this?