Prioritized Provisioning and Deprovisioning with Dependency Awareness

Products Privilege Secure Ideas
,
1

What is a one sentence summary of your feature request?

Introduce separate priorities and dependency-aware scheduling for provisioning and deprovisioning tasks to prevent operational blocking and improve efficiency.

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

Currently, provisioning and deprovisioning tasks are processed with the same priority and share the same limited task scheduler capacity. In practice, individual actions are often logically dependent on each other (e.g. managed accounts requiring enable/disable operations in a specific order).
When a large number of deprovisioning tasks are triggered (for example during mass offboarding), the task scheduler can become saturated. As a result, new provisioning tasks cannot be executed in a timely manner, even though they are critical for ongoing business operations.
Introducing priority separation between provisioning and deprovisioning, combined with dependency-aware execution (e.g. respecting relationships between managed accounts and enable/disable actions), would ensure that critical provisioning processes are not blocked by bulk deprovisioning activities. This would significantly improve reliability, predictability, and operational efficiency.

How do you currently solve the challenges you have by not having this feature?

At the moment, the issue can only be mitigated manually by delaying or throttling deprovisioning activities, scheduling them outside of peak hours, or closely monitoring the task queue. These workarounds are error-prone, require manual intervention, and negatively impact efficiency and user experience.

2 Likes
2

Hi Dom,

Thanks for submitting this request!

I’m curious as to which version of the product you’re running? We recently made improvements to provisioning/deprovisioning times, so I’d love to see you running our latest version (which is 25.12.2 as of today).

You can also increase the Action Service Worker count on any NPS server/leaf by editing C:\ProgramData\Stealthbits\PAM\ActionService\appsettings.json, specifically by increasing the MaxJobWorkerThreads value. Please note this will increase the load on CPU and RAM, so you should make sure those aren’t pegged after changing this setting. You also need to restart the Action Service in Windows for the change to take effect.

Finally, you can also add more Action Services as leaf nodes, which might help balance the load of tasks - Action Service Install | Netwrix Product Documentation

Please let me know if this information helps!

- Dan