Hi Anja,
I use the second option, one role with multiple instances.
An alternative could be to create a separate role for each system and work with a naming convention to avoid assignment on the 'wrong' system. I myself would try to convince the GRC folks these transports are incidental and just need a bit of aftercare.
Jurjen