Source: projects/identity-management/knowledge-base/oim-consolidated-knowledge-map.md

> Source: projects/identity-management/knowledge-base/oim-consolidated-knowledge-map.md

One Identity Manager Consolidated Knowledge Map

This page is the human-readable entry point for the One Identity Manager research in this workspace. It connects the findings from:

live sandbox database research on OneIM V10;
decompiled local application assemblies under F:/Claude/agent-tools/oim;
the Web Portal/API Server project at C:/Dev/IdentityManager.Imx;
MDK/SDK and shipped SQL files under C:/Dev/OneIdentityManager.10.0 and C:/Dev/OneIM10.0.0-MDK/MDK;
local training documents and vendor release/configuration material.

Use this page as a map. Use the linked evidence notes for exact procedure text, query output, and generated indexes.

Source Priority

Priority	Source	How to use it
1	Live sandbox DB	Best source for what is installed and active in this V10 sandbox.
2	Installed shipped SQL, MDK, SDK, decompiled assemblies	Best source for shipped behavior and object-layer implementation mechanics.
3	Web Portal / API Server project	Best source for frontend action names, generated endpoint clients, and portal flow.
4	Vendor docs and release notes	Best source for supported concepts, version boundaries, and configuration semantics.
5	Training slides/PDFs	Useful background, but re-check version-specific claims against V10 DB/docs.

OneIM Processing Stack

Web Portal / Manager / API client
  -> API Server generated endpoint or object-layer call
  -> Object layer entity/customizer method or event
  -> DB write, object save, process generation, or method side effect
  -> SQL triggers and shipped procedures
  -> DBQueue task and/or JobQueue process
  -> Job Service / Database Agent Service
  -> target-system provisioning, recalculation, approval, notification, or sync side effect

The main research result is that OneIM work rarely belongs to just one layer. A visible action, such as submitting a cart, approving a request, publishing a group to IT Shop, or moving a product node, crosses multiple layers.

Core Runtime Concepts

Concept	DB/object evidence	Meaning
Object layer	`VI.DB.dll`, customizer assemblies such as `QER.Customizer.dll` and `ATT.Customizer.dll`	Executes entity methods, templates, events, save logic, process generation, and customizer behavior.
`DialogMethod`	45 method definitions and 71 table/object assignments in the sandbox	UI-visible method catalog. Important, but not the complete callable surface.
Customizer methods	226 registrations in full decompile index	Methods such as `MakeDecision`, `OrderShoppingCart`, `Abort`, `PrepareAttestations`, and `MoveBoard` can exist outside `DialogMethod`.
`QBMEvent`	353 table/event rows in sandbox	Event catalog. An event is a `(table, event)` pair, not a global string.
`JobEventGen` / `JobChain`	400 event-to-process rows in sandbox	Maps events to process generation. Check active/preprocessor state before assuming work will run.
`QBM_PDBQueueInsert_*`	Thousands of call sites in shipped triggers/procedures	Enqueues calculation/recalculation tasks for the Database Agent Service.
`QBM_PJobCreate*`	29 procedures in V10 sandbox	Creates JobQueue work so SQL can delegate object-layer behavior to the job service.
`BaseTree` view tables	`ITShopOrg` is a view over `BaseTree` where `UID_OrgRoot='QER-V-ITShopOrg'`	Many role/tree concepts are view-table projections over `BaseTree`.

Action-to-Method Map

This table is the practical bridge from "what action happened" to "what method/event/table is involved".

User/system action	Portal/API surface	Object-layer method/event	Main DB tables	Async processing
Add product to cart	`PortalCartitem.Post`, `PortalCartitem.createEntity`	cart item creation behavior	`ShoppingCartItem`, `ShoppingCartOrder`, `AccProduct`, `ITShopOrg`	validation may trigger API/object checks before persistence
Submit cart	`portal_cart_submit_post` / `/portal/cart/submit/{uidcart}`	`OrderShoppingCart`; then request creation and approval setup	`ShoppingCartItem`, `ShoppingCartOrder`, `PersonWantsOrg`	`DialogProcess`, `JobQueue`; observed `HandleObjectComponent` / `CallMethod`
Decide approval	`portal_itshop_decide_post`	`PersonWantsOrg.MakeDecision`	`PersonWantsOrg`, approval helper/history tables	process generation and downstream JobQueue
Deny approval	`portal_itshop_denydecision_post`	`PersonWantsOrg.DenyDecision`	`PersonWantsOrg`	process generation and downstream JobQueue
Escalate approval	`portal_itshop_escalate_post`	`PersonWantsOrg.Escalate`; event family includes `ESCALATE`	`PersonWantsOrg`	object-layer state transition and processes
Query requester	`portal_itshop_query_post`	`PersonWantsOrg.QueryToPerson`	`PersonWantsOrg`	mail/process work depending on workflow
Answer query	`portal_itshop_answerquery_post`	`PersonWantsOrg.AnswerFromPerson`	`PersonWantsOrg`	approval flow resumes through object layer
Recall decision	`portal_itshop_recalldecision_post`	`PersonWantsOrg.RecallDecision`	`PersonWantsOrg`	state and process updates
Reset reservation	`portal_itshop_resetreservation_post`	`PersonWantsOrg.ResetReservation`	`PersonWantsOrg`	object-layer state update
Move IT Shop product node	Manager/object method, `ITShopOrg` action	`ITShopOrg.MoveProductNode`	`BaseTree` / `ITShopOrg`	ShoppingRack/product-node recalculation may follow
Move shelf/board	Manager/object method, `ITShopOrg` action	`ITShopOrg.MoveBoard`	`BaseTree` / `ITShopOrg`	ShoppingRack recalculation
Remove from IT Shop boards	`DialogMethod.RemoveFromITShopBoards` on entitlement types	`RemoveFromITShop` style customizer behavior	`BaseTreeHas*`, entitlement table, `ITShopOrg`	product-node deletion/update work
Publish AD/LDAP group to IT Shop	seed/tooling or Manager publication action	Not a single method; requires service item, flags, shelf placement, product-node processing	`ADSGroup`/`LDAPGroup`, `AccProduct`, `AccProductGroup`, `BaseTreeHasADSGroup`/`BaseTreeHasLDAPGroup`, `BaseTree`	`QER_PITShopProductNodeCheck` / `QER_PITShopProductNodeCreate_b`; DBQueue ShoppingRack tasks
Create attestation cases	schedule/policy action	`AttestationPolicy.CreateAttestations`, `PrepareAttestations`	attestation policy/case tables	JobQueue and DBQueue through attestation processes

HandleObject Jobs from SQL

SQL cannot directly execute the object-layer logic that handles templates, customizer methods, scripts, and process generation. The QBM_PJobCreate* procedures are the bridge.

`HOCallMethod`

QBM_PJobCreate_HOCallMethod, _B, and _L create HandleObject CallMethod jobs.

Runtime behavior from VI.DB.dll:

1. Read ObjectType, MethodName, WhereClause, Param1, Param2, and additional numbered parameters.

2. Load matching entities through the object layer.

3. Resolve the named method by name/parameter count or typed signature.

4. Convert string job parameters to target .NET types where possible.

5. Load object/entity parameters by object key when needed.

6. Invoke the method and save if required by method behavior or explicit job parameters.

Important methods observed in shipped SQL/decompile evidence:

Method	Typical target	Interpretation
`MakeDecision`	`PersonWantsOrg`, `AttestationCase`	Approval/attestation decision.
`Abort`	`PersonWantsOrg`, `AttestationCase`	Abort request/case.
`ESCALATE` / `Escalate`	approval objects	Escalation path.
`Assign`, `Replace`, `Unsubscribe`, `Waiting`	`PersonWantsOrg`	IT Shop request state transitions.
`MakeDecisionOnInsertAsync`	`PersonWantsOrg`	Async decision logic after request insert.
`PrepareAttestations`	attestation policy objects	Build attestation cases.
`CompleteCasesUnderConstruction`	attestation case setup	Finish constructed attestation cases.

Rule: a method name existing is not enough. Check target table, row state, method enablement, parameter shape, and process context.

`HOFireEvent`

QBM_PJobCreate_HOFireEvent, _B, and _L create HandleObject FireEvent jobs.

Runtime behavior from VI.DB.dll:

1. Read ObjectType, Eventname, WhereClause, optional StartTime, and event parameters.

2. Load matching entities read-only.

3. Generate object-layer process chains for each entity/event.

4. Add __StartTime if supplied.

5. Commit generated job chains.

The event generator looks for generated event code like Event_<EventName>. So QBMEvent is discovery metadata, but execution also needs active JobEventGen, active JobChain, and generated event code.

Common event families:

Family	Examples
Generic object lifecycle	`INSERT`, `UPDATE`, `DELETE`, `Insert`, `Update`, `Delete`, `Read`
Assignment	`Assign`, `Remove`, `ASSIGN`, `REMOVE`
IT Shop and approval	`GRANTED`, `DENY`, `DISMISSED`, `ESCALATE`, `QUERYTOPERSON`, `ORDERGRANTED`, `ORDERREFUSED`, `REMEMBER_VALIDUNTIL`
Target-system lifecycle	`DEPROVISION`, `UNDO DEPROVISION`, `HANDLEOUTSTANDING`, `POSTSYNC`, `OVERLIMIT`
Service/maintenance	`EXECUTE`, `FROZENDETECT`, `OVERLIMITDETECT`, `OVERLIMITWARNING`, `CHECKVERSION`
Mail/report	`SENDMAIL`, `SENDRICHMAIL`, `GENERATEMAIL`, `PREVIEWMAIL`, `REMIND`

DBQueue Processing

DBQueue is the database-side recalculation and post-processing framework. In V10/9.3+, the Database Agent Service controls processing and slot distribution.

Important version boundary:

9.3 revised Database Agent Service processing.
Older training-slide assumptions about SQL Server Agent jobs and old slot-agent control must be treated as historical unless confirmed in V10.
V10 still uses DialogDBQueue, QBMDBQueueCurrent, QBMDBQueueTask, QBMDBQueueTaskDepend, and QBMDBQueuePond.

Live V10 procedure signatures:

Procedure	Purpose
`QBM_PDBQueueInsert_Single`	Add one task/object/subobject item.
`QBM_PDBQueueInsert_Bulk`	Add table-valued batch of `QBM_YDBQueueRaw` task items.
`QBM_PDBQueueInsert_Int`	Internal insert path used by the public wrappers.
`QBM_PDBQueueInsert_WaitForComp`	Wait/dependency helper by context and `GenProcID`.

Usage footprint in V10 sandbox:

Object type	`Single` references	`Bulk` references
SQL triggers	375	524
SQL stored procedures	55	97
SQL scalar functions	1	3

Negative slot numbers in V10 include more than older notes. Examples:

Slot	Meaning
`-1`	Synchronization is running for the object target system.
`-3`	JobQueue entries still exist for the object to calculate.
`-4`	Prerequisite DBQueue tasks still exist.
`-23`	Deadlock during processing.
`-24`	Runtime error during processing.
`-25`	Delta calculation overloaded.

IT Shop Structure

ITShopOrg is not a base table. It is a view over BaseTree filtered by UID_OrgRoot='QER-V-ITShopOrg'.

ITShopInfo	Meaning in sandbox	Notes
`SC`	Shopping Center	Referenced by shipped SQL; not currently present in the live sandbox tree.
`SH`	Shop root	Sandbox has `Identity & Access Lifecycle`.
`BO`	Board/shelf	Direct children under the shop root in this sandbox.
`PR`	Product node	Usually has `BaseTree.UID_AccProduct`.
`CU`	Customer node	Special validation; cannot freely change once customer assignments exist.

Important constraints:

Triggers validate that IT Shop nodes belong to the correct UID_OrgRoot.
BO below BO is not the right model in this sandbox; use service categories and product metadata for grouping.
AccProductInBaseTree exists but was empty in the sandbox. Actual product node availability was proven through BaseTree PR nodes and BaseTreeHas<EntitlementType> relations.

Making an Entitlement Requestable

The proven sandbox pattern for direct entitlement tables such as ADSGroup and LDAPGroup is:

Entitlement row exists from sync
  -> create/link AccProduct
  -> set entitlement.UID_AccProduct
  -> set entitlement.IsForITShop = 1
  -> keep IsITShopOnly depending on assignment policy
  -> insert BaseTreeHas<EntitlementType> link to a BO shelf
  -> DBQueue/ShoppingRack creates PR product node
  -> BaseTreeHas<EntitlementType> gains PR-node link too

For the sandbox AD and LDAP seeds, we intentionally used IsITShopOnly = 0 so direct assignment and IT Shop request paths can both be compared.

AD Group Publication Result

Object/relation	Count	Meaning
Catalog `AccProduct` rows	97	One service item per synced AD group.
`ADSGroup.IsForITShop=1`	97	Published to IT Shop.
`ADSGroup.IsITShopOnly=0`	97	Direct assignment remains possible.
BO shelf links	97	Initial shelf placement.
`PR` product nodes	97	Generated after product-node processing.

LDAP Group Publication Result

Object/relation	Count	Meaning
OpenDJ containers	16	Project-owned subtree under `ou=oim-managed,dc=ldap,dc=com`.
OpenDJ LDAP groups	41	Empty `groupOfNames` entitlement groups.
Project-created LDAP accounts	0	Accounts must be provisioned by OneIM account definitions.
Synced `LDAPGroup` rows	41	After user-triggered LDAP sync.
LDAP `AccProduct` rows	41	One service item per LDAP group.
`LDAPGroup.IsForITShop=1`	41	Published to IT Shop.
`LDAPGroup.IsITShopOnly=0`	41	Direct assignment remains possible.
BO placement links	41	Shelf placement through `BaseTreeHasLDAPGroup`.
PR placement links	41	Product-node links after processing.

LDAP shelves:

Shelf	Groups
`Sandbox LDAP Applications`	20
`Sandbox LDAP Platform Access`	6
`Sandbox LDAP Business Roles`	6
`Sandbox LDAP Access Bundles`	5
`Sandbox LDAP Distribution Lists`	4

Web Portal and API Server Findings

The Web Portal project under C:/Dev/IdentityManager.Imx/imxweb is an Angular/Nx frontend workspace. The backend API Server implementation is deployed separately; the frontend uses generated API clients.

Important generated endpoint correlations:

Endpoint/client concept	DB/object concept
`PortalShopServiceitems`	`AccProduct`, `AccProductGroup`, `ITShopOrg` visibility context.
`PortalCartitem`	`ShoppingCartItem`, `ShoppingCartOrder`, `PersonWantsOrg`, `AccProduct`, `ITShopOrg`.
`PortalItshopCart`	shopping cart state and `ITShopOrg`.
`PortalItshopApproveRequests`	`PersonWantsOrg` approval state.
`PortalServicecategories`	`AccProductGroup` and approval-policy/category metadata.

Confirmed runtime paths:

Client method	HTTP path
`imx_sessions_get('portal')`	`/imx/sessions/{appId}`
`imx_login_post('portal', ...)`	`/imx/login/{appId}`
`portal_shop_serviceitems_get`	`/portal/shop/serviceitems`
`portal_cartitem_post`	`/portal/cartitem`
`portal_cartitem_delete`	`/portal/cartitem/{UID_ShoppingCartItem}`
`portal_cart_submit_post`	`/portal/cart/submit/{uidcart}`

The controlled cart-submit trace proved:

POST /portal/cartitem creates a cart item.
POST /portal/cart/submit/{uidcart} validates and submits the cart.
On success, cart item is consumed and PersonWantsOrg is inserted.
The request receives a GenProcID.
DialogProcess and JobQueue rows are created.
Immediate JobQueue evidence showed VI.JobService.JobComponents.HandleObjectComponent / CallMethod.

Decompiled Method and Event Surface

Full decompile/index coverage:

Metric	Count
Assembly candidates	1,348
Decompiled managed assemblies	1,260
Decompiled `.cs` files scanned	145,636
Lines scanned	19,245,184
Method/function registrations	226
Custom-generated event registrations	28
Call/generate sites	228
`Event_*` references	26

High-value customizer findings:

Target	Methods/events	What this means
`PersonWantsOrg`	`Abort`, `MakeDecision`, `Escalate`, `Unsubscribe`, `DirectDecision`, `RecallDecision`, `CancelOrder`, `Prolongate`, `Reserve`, `ResetReservation`, `QueryToPerson`, `AnswerFromPerson`, `FillOrder`, `Replace`, `Assign`, `Waiting`, `MakeDecisionOnInsertAsync`	Request approval/order actions are state-machine methods. Do not mutate request state directly in SQL.
`PersonWantsOrg` events	`Granted`, `Dismissed`, `OrderGranted`, `OrderRefused`, `Aborted`, `Canceled`, `Escalate`, `Direct`, `Recall`, `Deny`, `RecallQuery`	Events are generated from workflow state changes and process generation.
`ITShopOrg`	`MoveProductNode`, `MoveProducts`, `MoveBoard`, `MoveShop`, `DeleteBoard`	Method legality depends on `ITShopInfo` (`PR`, `BO`, `SH`).
`ITShopProductCustomizer`	`RemoveFromITShop`	Removing products from shelves is object-layer behavior, not just deleting a relation row.
`AttestationCase`	`Reserve`, `ResetReservation`, `Abort`, `Escalate`, `CancelAttestation`, `MakeDecision`, `DirectDecision`, `RecallDecision`, query/answer methods	Attestation approval is structurally similar to IT Shop approval.
`AttestationPolicy` / group	`CreateAttestations`, `PrepareAttestations`, `CompleteCasesUnderConstruction`	SQL delegates heavy attestation setup/completion through object-layer jobs.

Database Relation Index

The decompile index was joined with live DB metadata. The generated evidence index now connects:

DialogMethod -> DialogObjectHasMethod -> DialogObject -> DialogTable;
QBMEvent -> JobEventGen -> JobChain;
SQL modules and triggers referencing QBM_PJobCreate*;
extracted HOCallMethod and HOFireEvent calls;
QBM_PDBQueueInsert_Single / _Bulk call sites;
DBQueue task IDs linked to QBMDBQueueTask where the task is literal;
Angular service/component usage -> generated API endpoints -> inferred DB/object concepts.

Relation counts:

Relation type	Count
`DialogMethod` table/object relations	71
`QBMEvent` rows	353
`JobEventGen` rows	400
`QBMDBQueueTask` rows	337
SQL modules with JobCreate/DBQueue references	1,134
Triggers with JobCreate/DBQueue references	918
Parent tables with those triggers	268
Extracted concrete `HOCallMethod` calls	120
Extracted concrete `HOFireEvent` calls	72
Extracted DBQueue insert call sites	6,004

Practical Troubleshooting Patterns

A product does not show in Web Portal

Check in this order:

1. Entitlement row exists and is not marked for deletion.

2. IsForITShop = 1.

3. UID_AccProduct points to a valid AccProduct.

4. AccProduct.IsInActive = 0.

5. AccProduct.IsToHideFromITShop = 0.

6. Entitlement has a BO shelf link in BaseTreeHas<type>.

7. Corresponding ITShopOrgHas<type> view sees the relation.

8. PR product node exists under the BO shelf.

9. There is also a PR-node BaseTreeHas<type> link after processing.

10. DBQueue has no stuck ShoppingRack/ProductNode tasks.

11. Portal requestability is checked for the current user and permissions, not globally.

A request action fails or does nothing

Check:

1. Was the action invoked through API/object layer or direct SQL?

2. Is the object in a state where the method is enabled?

3. Does DialogMethod expose it for the UI, or is it customizer-only?

4. If SQL used HOCallMethod, do parameter count/types match?

5. Does the method have ChangesExternalState, NeedsSaving, or state-machine guards?

6. Was a GenProcID generated and can it be followed into DialogProcess and JobQueue?

A fired event does not generate work

Check:

1. Does (DialogTable.TableName, QBMEvent.EventName) exist?

2. Does JobEventGen map it to a JobChain?

3. Is JobChain.NoGenerate = 0?

4. Is the chain or table deactivated by preprocessor?

5. Does generated runtime event code exist, typically Event_<EventName>?

6. Did the process generation context include required parameters?

DBQueue seems stuck

Check:

1. DialogDBQueue and QBMDBQueueCurrent for task/object/subobject.

2. Negative slot number and V10 meaning.

3. QBMDBQueueTask procedure and dependencies.

4. Whether synchronization is running for the same target system (-1 scenario).

5. Remaining JobQueue entries for the object (-3 scenario).

6. Runtime/deadlock/overload slots (-23, -24, -25).

7. Database Agent Service health.

Safe Implementation Rules for Agents

Prefer API Server/object-layer actions for request, approval, attestation, and account-definition provisioning.
Use direct DB DML only for controlled sandbox research or when no supported route is available, and always capture before/after snapshots.
Do not create LDAP accounts directly for the LDAP Shop test; accounts should be provisioned by OneIM account definitions.
Do not assume DialogMethod is complete. Cross-check decompiled customizer registrations for non-UI methods.
Do not assume a QBMEvent row means process execution. Check JobEventGen, active JobChain, and generated event code.
Do not model IT Shop shelves as nested BO under BO in this sandbox. Use categories and metadata instead.
Do not use old 9.2.x DBQueue slot-control slides as V10 truth without confirmation.

Key Evidence Pages

Topic	Evidence
DBQueue and `QBM_PJobCreate`	`projects/identity-management/knowledge-base/oim-dbqueue-and-object-layer-jobs.md`
IT Shop DB structure	`projects/identity-management/knowledge-base/oim-it-shop-structure-and-availability.md`
Web Portal/API Server	`projects/identity-management/knowledge-base/oim-web-portal-api-server-project.md`
Decompiled method/event surface	`projects/identity-management/oim-kb-update/local-app/2026-04-27-oim-decompiled-method-event-evidence.md`
Full decompile index	`projects/identity-management/oim-kb-update/local-app/2026-04-27-oim-full-decompile-index-evidence.md`
DB trigger/method/event relations	`projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-oim-db-trigger-method-event-relations.md`
Web Portal endpoint map	`projects/identity-management/oim-kb-update/local-app/2026-04-27-webportal-endpoint-map-evidence.md`
Cart submit trace	`projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-webportal-cart-submit-snapshots.md`
Product node creation	`projects/identity-management/oim-kb-update/sandbox-host/2026-04-27-itshop-productnodecheck-and-prnodecreate-shipped-sql-evidence.md`
LDAP Shop seed/publication	`projects/identity-management/ldap-shop-seeding/README.md`
AD Shop seed/publication	`projects/identity-management/ad-shop-seeding/README.md`

Open Work

Trace one approval action end-to-end like the cart-submit trace.
Resolve variable method/event names in shipped SQL by parsing local variable assignments.
Add backend Composition API class names for /portal/cart/submit/{uidcart} and approval endpoints.
Build a GenProcID trace report that joins PersonWantsOrg, DialogProcess, DialogProcessStep, JobQueue, and JobHistory.
Expand customizer method correlation to more modules (PAG, POL, RPS, SAP, TSB, UNS, target-system modules).
Test LDAP account-definition provisioning and then compare direct membership import vs IT Shop assignment origin.