Rick Nieuweveen: If I understand you correctly it's not about the number of actions or if they are started for the correct reasons but more about if the action works as intended and correctly. So in short you want to have more forecasting/testing capabilities to try an action in different scenarios? Or have more control which action to start so you can test the action before running it in bulk

Rick van den Dijssel: Adding a button the the blocked actions to delete the triggered actions would "fix" your fist example. It would also fix other feature requests like triggering an update for everybody when adding a custom field. If you have a threshold on the update action then we could just delete the triggered actions and we would not be executing for example 70.000 actions. I agree with your opinion that the feature should not be used as a system of control, but I do think that adding a delete actions button would fit the current use case of the blocked actions.

Twan Duvigneau: Unfortunately your solution of a button to remove actions will not work because on the next enforcement, it will start a new revoke action which again could be blocked by the treshold depending on the number of actions (in my example it will start a revoke for the 9 actions left which is below the threshold). This is because our engine always wants to accomplish the desired state as configured in business rules.

The above reason is why I would like to know more about the issue. Then I can discuss this with development or other parties to come up with the best solution to solve the issue.

Rick van den Dijssel: I see what you mean, it's not completely what I meant. After deleting the actions in the blocked actions it should not really throw away the actions, because that would trigger new ones indeed. But it should skip the actions and see it as completed. Then it would not trigger again. So maybe "skip" would be better than a "delete" button, or unmanage.

Rick van den Dijssel: Making a minor change to a person object such as adding a new field will trigger updates in every single target system for those users. This can cause 1000s of updates to appear that won't actually do anything but the clients (and techs oftentimes as well) get worried about this and would like to see a handful of users go through the process as reassurance that the process will not run over and possibly update 1000s of users in a way they do not want.

Ideally we'd have some way to control what attribute updates effect which parts of a system or the system as a whole. For example in the Active Directory system we don't need to worry about changes to a field called personalEmail we would simply be able to uncheck that field from Active Directory > Update (or even just the Active Directory target system itself) so any changes for the field personalEmail simply will be ignored by the Active Directory target system. This would have the added benefit of not causing 1000s of updates to appear and try and process for systems in which the application is going to do nothing and would save a massive amount of processing time/power. (This is also discussed here: https://helloid.canny.io/provisioning/p/skip-updates-when-adding-custom-fields) Though I imagine that would require significant development effort so this solution acts as an easy common ground.