Hi Faisal,
what you described is standard SAP GRC logic. I agree to some extent this does not satisfy all (audit) requirements.
What we did was - we created a separate client (on GRC System) with the list of all managers which are not maintained in LDAP (this is our first source of information), but are required for cases like contractors / external audit etc.
Why we did use a dedicated mandant instead of the same GRC system, we wanted to limit the capabilities of user selection (F4) while looping for a manager.
Thank you,
Filip