Use the API provisioning risk threshold feature to help prevent large-scale accidental changes during syncs. Risk thresholds let you put an upper limit on the number of user and team updates that can be automatically performed during a single sync. If a sync exceeds the set risk threshold, the sync is paused for an Admin to manually review.
Risk thresholds can prevent:
Accidental mass deletions or updates.
Disruptions to team structures.
Incorrect data modifications from faulty CSV files.
Risk thresholds help you:
Maintain greater oversight of sync activities.
Catch errors early.
Improve data management control.
Note: You can set a separate risk threshold for team and user updates.
Set a risk threshold
1. Open API Provisioning settings
Go to Settings in the Workleap platform.
Select Provisioning from the side menu.
Open the API Provisioning configuration page.
2. Find the risk threshold settings
Find the Pause operations that result in large-scale changes section.
3. Understand the categories
You can set thresholds for:
Users: Includes new users, user deactivations, and property updates.
Teams: Includes new teams, team removals, and manager/member assignments.
4. Set risk threshold values
Enter a numeric risk threshold value for users and teams.
Threshold value = maximum number of automatic changes allowed per API provisioning sync.
Note: You can set a risk threshold for both user and team changes or for only one.
Tips
Set a higher user risk threshold if you frequently onboard/offboard users.
Set a lower team risk threshold if your team structure is stable and consistent.
Threshold value impact
Threshold value | Behavior |
| All syncs require manual approval. |
Small number (e.g., 10) | Frequent pauses; maximum control. |
High number (e.g., 1000) | Fewer pauses; better for stable, reliable integrations. |
Very high (e.g., 99999999) | Effectively disables threshold; use with caution. |
5. Save your configuration
Click Save configurations to apply changes.
What happens when a risk threshold is reached?
Sync is paused: No changes are applied.
Admins are notified: Email includes a link to the paused sync report.
Sync appears paused in the sync history.
Review the sync report:
Click the paused sync in your sync history.
Review the number and nature of proposed changes.
Examine examples such as user property changes or team assignments.
Approve or reject changes
Approve changes:
Click Apply changes in the report.
Sync resumes and applies updates.
Results in a Success, Warning, or Failed sync.
Reject changes:
Click Reject changes to cancel the sync.
No changes are applied.
Status changes to rejected.
Investigate the issue and re-run sync if needed.
Note: Only Workleap Admins can approve or reject changes.
What happens if there is no Admin response?
If no action is taken within 24 hours of a sync pausing due to your risk threshold, that sync's changes are automatically rejected.
Best practices
Start low: Use lower thresholds at first for tighter oversight.
Adjust to your change volume: Analyze typical update counts and set thresholds accordingly.
Regularly review reports: Check syncs with Warning statuses to catch issues early.
Adjust as needed: Tune thresholds based on frequency of false positives or missed risks.
Train admins: Ensure Admins understand the approval workflow.
Use
0threshold for testing: Review all syncs during initial setup or when high control is needed.