While `sysadmins` having ssh/sudo rights on servers can trigger themselves remotely ad-hoc or role tasks through ansible from their main station, that's *not* the best practice.
Based on the Env, we have usually (can depend on ENV requirements), one [host](https://github.com/CentOS/ansible-role-ansible-host) that is used to control the whole Infra/ENV.
On that host, we use [ARA](https://ara.recordsansible.org/) tokeep track of playbooks execution on that host, while we also have `log_path`setto also logtoon-disk log files (rotated)
* it can waitnext automatic execution: do nothing and ansible will deploy your change (like for example a simple TLS cert replace and reload) when the next (cron) "play all roles on all nodes" task will run