Is there a simple way to have a Resource or Role that grants a IDV group

Not group membership in a remote application, which is how the
eDir/AD/LDAP/etc driver Group entitlements work.

But rather using RBPM to decide the IDV groups a user is a member of?

I approached it as:
Loopback/Null driver
IDVGroup entitlement defined
Hand made entitlementConfiguration object for IDVGroup, DN as ID, GUID
as ID2.
Policy to implement the entitlement as group membership in IDV.

That allows UA To see the IDVGRoup Entitlement on the LB driver, and
make a Resource for specific groups to it.

Is there a simpler way I missed? (Dynamic group does not help, want a
real group member list).