Use case:

• simulated reconciliation with AD/LDAP indicates there will be renames and other changes because outbound mappings generate different values than already in AD/LDAP. E.g. from CN=Joe Doe,... to CN=Joseph Doe,..

• during this, also account's displayName is being changed. E.g. from Joe Doe to Joseph Doe

• the authoritative value from HR is Joseph Doe, so midPoint is technically doing the right thing

• on the other hand, user insists on having displayName=Joe Doe instead of (authoritative) Joseph Doe. Preferred name feature is to be used here to override. Outbound mapping for ri:displayName will use the preferredName first, if it exists.

• during simulations, administrator detects that this is going to happen and would like to edit user owning the CN=Joe Smith account. But this is not possible from simulation: there are no related objects for shadows (there are from the opposite direction, User to Accounts)

• thus, administrator can go to Resource/Accounts, find the account by DN and edit the owner, but not via simulations GUI

Could we have some kind of link from shadow to owning user to allow this editing?
Of course not if the user does not exist in midPoint.
The owning user could but also could not be part of simulations. In my particular case, the owning user has some metadata changes (last provisioning, last modifier, task info etc.). But perhaps it may be also user which is completely untouched by the simulation?

In worst case, I can escape from simulations GUI and go to Resource/Accounts, search for DN and then edit the user. But can we do better?