Source: projects/identity-management/ad-shop-seeding/ITSHOP-STRUCTURE-PROPOSAL.md

> Source: projects/identity-management/ad-shop-seeding/ITSHOP-STRUCTURE-PROPOSAL.md

IT Shop Structure Proposal for Sandbox AD Entitlements

Status: corrected structure seeded in OneIM on 2026-04-27; product publication still pending

Scope: OIM-side publication model for the AD groups proposed in

PROPOSAL.md and data/ad-shop-catalog.json

Implementation artifact: sql/seed-itshop-structure.sql

Live Starting Point

Queried from the live OneIM database on 2026-04-27:

Area	Current state
Shop root	`Identity & Access Lifecycle` exists in `ITShopOrg` with `ITShopInfo = SH`.
Existing shelves	`Active Directory Groups`, `Group Lifecycle`, and `Identity Lifecycle` exist with `ITShopInfo = BO`.
Existing product nodes	Requestable nodes such as `Role membership` and `New Active Directory security group` use `ITShopInfo = PR`, `IsCutNode = 1`, and have `UID_AccProduct` plus `UID_PWODecisionMethod`.
Customer node	`Identity Lifecycle Customer` uses `ITShopInfo = CU`.
AD groups	`ADSGroup` exists, but current rows are not IT Shop published.
System roles	`ESet` and `ESetHasEntitlement` are empty.

ITShopInfo Semantics

Observed live values:

`ITShopInfo`	Meaning in this sandbox	Valid role in this plan
`SH`	Shop root	Reuse existing `Identity & Access Lifecycle`; do not create another shop root for v1.
`BO`	Shelf / bucket directly below a shop root	Use for the four sandbox shelves.
`PR`	Requestable product node	Use later when publishing `AccProduct` service items.
`CU`	Customer node	Not part of this entitlement catalog phase.

Important constraint: OneIM's QER_TUBaseTree trigger rejects a BO shelf

below another BO shelf with "Cannot change shelf property, because

predecessor already is a shelf." Therefore the earlier deep tree

Sandbox Entitlements\Applications\<Domain>\<Application> is invalid as an

ITShopOrg structure. Application/domain grouping must be represented through

AccProductGroup, service item names, metadata, or portal search/filtering.

Corrected IT Shop Tree

Identity & Access Lifecycle (`ITShopInfo = SH`)
├── Sandbox Applications (`ITShopInfo = BO`)
├── Sandbox Business Roles (`ITShopInfo = BO`)
├── Sandbox System Role Bundles (`ITShopInfo = BO`)
└── Sandbox Distribution Lists (`ITShopInfo = BO`)

All four seeded shelves are direct children of Identity & Access Lifecycle.

They are intentionally broad because ITShopOrg is a shop/shelf/product-node

structure, not a taxonomy tree. Application/domain grouping belongs in

service-item metadata, AccProductGroup, or portal filtering.

The shelves use:

Field	Value
`ITShopInfo`	`BO`
`IsCutNode`	`0`
`IsInvalidForDynamicGroup`	`1`
`UID_ParentITShopOrg`	`QER-ITSHOPORG-DELEGATION-SH`
`CustomProperty01`	`[OIM-SANDBOX-SEED:ad-shop-seeding:v1]`

The seeded shelf descriptions now carry the intended boundary for each shelf:

application AD groups, business-role marker groups, placeholder system-role

bundle groups, and distribution-list-shaped AD groups.

Product Placement Rules

Application Entitlements

Publish every APP_<CODE>_<TIER> AD group as an orderable product node below:

Identity & Access Lifecycle\Sandbox Applications

Use friendly service item names and metadata for application grouping:

AD group	IT Shop shelf	Display name
`APP_ATLAS_READER`	`Sandbox Applications`	`Atlas Office - Read-only`
`APP_ATLAS_USER`	`Sandbox Applications`	`Atlas Office - Standard user`
`APP_ATLAS_EDITOR`	`Sandbox Applications`	`Atlas Office - Content editor`
`APP_ATLAS_ADMIN`	`Sandbox Applications`	`Atlas Office - Administrator`
`APP_ATLAS_APPROVER`	`Sandbox Applications`	`Atlas Office - Request approver`

Business Role Markers

Publish BR_* groups below:

Identity & Access Lifecycle\Sandbox Business Roles

These are AD-side marker groups only. They should not be confused with OIM

business role objects yet. A later phase can decide whether to map them into

OIM business roles (Org) or keep them as requestable AD groups.

System Role Bundles

Publish SR_* groups below:

Identity & Access Lifecycle\Sandbox System Role Bundles

These groups are placeholders for future OIM ESet system roles. In a later

phase, the better OIM-native design is:

1. Create ESet rows matching each SR_* bundle.

2. Link included ADSGroup entitlements through ESetHasEntitlement.

3. Publish the ESet system role service item instead of requesting the

placeholder AD group directly.

Distribution Lists

Publish DL_* groups below:

Identity & Access Lifecycle\Sandbox Distribution Lists

They remain Global Security groups in AD for v1 and are not mail-enabled.

Service Categories

The live sandbox has these project-owned AccProductGroup service categories:

Sandbox Applications
Sandbox Business Roles
Sandbox System Role Bundles
Sandbox Distribution Lists

Recommendation for v1: keep these four categories. They are coarse on purpose.

Application/domain refinement belongs in AccProduct names and metadata first;

only add subcategory rows after the Web Portal view is tested.

Relationship Notes

Relevant live relations for the next publication phase:

Table	Column	Relation
`BaseTree`	`UID_OrgRoot`	`OrgRoot.UID_OrgRoot`
`BaseTree`	`UID_ParentOrg`	Same-tree parent, enforced by trigger logic.
`BaseTree`	`UID_AccProduct`	`AccProduct.UID_AccProduct` for `PR` product nodes.
`BaseTree`	`UID_PWODecisionMethod`	`PWODecisionMethod.UID_PWODecisionMethod` for request workflow.
`AccProduct`	`UID_AccProductGroup`	`AccProductGroup.UID_AccProductGroup`.
`AccProductInBaseTree`	`UID_Org`, `UID_AccProduct`	Present in schema, but empty in this sandbox; do not treat as the current active placement mechanism until a supported flow populates it.
`BaseTreeHasADSGroup`	`UID_Org`, `UID_ADSGroup`	Links AD groups to role/tree nodes when using entitlement assignment relations.
`BaseTreeHasESet`	`UID_Org`, `UID_ESet`	Links system roles to role/tree nodes when modeling native `ESet`.

For direct IT Shop publication, model future requestable product nodes as

ITShopInfo = PR, IsCutNode = 1, with UID_AccProduct and

UID_PWODecisionMethod, following the supported publish/ProductNode creation

flow rather than hand-building a parallel BO hierarchy.

Implementation Status

Completed in the live sandbox OneIM database on 2026-04-27:

Replaced the invalid 27-node nested ITShopOrg tree.
Seeded 4 valid project-owned ITShopOrg shelves directly under

Identity & Access Lifecycle.

Seeded 4 project-owned AccProductGroup service categories.
Refined shelf/category descriptions after later DB-backed IT Shop research:

no nested BO taxonomy, no direct PR rows until the supported publication

path is executed, and no reliance on empty AccProductInBaseTree as the

current placement mechanism.

All project rows are marked with [OIM-SANDBOX-SEED:ad-shop-seeding:v1].
Idempotent rerun verified.

Still pending:

AD OU/group creation.
AD synchronization into ADSGroup.
AccProduct service item creation or assignment.
ADSGroup.IsForITShop publication.
Product-to-ITShopOrg assignment.
Native ESet system-role creation.