Source: projects/identity-management/knowledge-base/oim-web-portal-api-server-project.md

> Source: projects/identity-management/knowledge-base/oim-web-portal-api-server-project.md

OIM Web Portal and API Server Project Knowledge Base

Scope

This note summarizes the sandbox Web Portal/API Server project discovered at C:\Dev\IdentityManager.Imx, and correlates it with the existing sandbox DB and decompiled object-layer research.

The project is an Angular/Nx frontend workspace for One Identity Manager 10.0 Web Portal-style applications. The backend API Server itself is not implemented in this source tree; the frontend consumes https://im.sandbox.local/ApiServer through generated OneIM API clients.

Primary Sources

Sandbox host source tree: C:\Dev\IdentityManager.Imx\imxweb, inspected 2026-04-27.
Frontend configuration:
imxweb\package.json
imxweb\angular.json
imxweb\nx.json
imxweb\projects\qer-app-portal\src\appconfig.json
imxweb\projects\qer-app-portal\src\environments\environment*.ts
Portal documentation:
imxweb\projects\qer-app-portal\README.md
imxweb\projects\qer\README.md
imxweb\projects\qer\additionalDocumentation\it-shop.md
imxweb\projects\qbm\README.md
imxweb\projects\custom-app\readme.md
Local decompile index:
projects/identity-management/oim-kb-update/local-app/oim-decompile-index-data.json
projects/identity-management/oim-kb-update/local-app/oim-decompile-index.html
Existing DB evidence:
projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-oim-db-trigger-method-event-relations.md
projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-pjobcreate-method-event-evidence.md
projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-dbqueue-pjobcreate-procedure-evidence.md
projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-itshop-productnode-jobcreate-and-dbqueueinsert-db-evidence.md
projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-adsgroup-publish-sequence-db-evidence.md

Workspace Shape

C:\Dev\IdentityManager.Imx\imxweb is an Angular 20/Nx 21 workspace named imxweb with package version 10.0.0.

Main applications:

qer-app-portal: Web Portal.
qer-app-pwdportal: Password reset portal.
qbm-app-landingpage: landing page application.
custom-app: starter/custom application shell.

Main libraries:

qbm: base web framework, CDR, API client setup, table/schema helpers, translation, theming, messages, SQL wizard, samples.
qer: identity management base library, including IT Shop, requests, identities, roles, resources, responsibilities, and approval UI.
Additional module libraries include aad, aob, apc, att, cpl, dpr, hds, iqc, olg, pol, qam, rmb, rms, rps, sac, and tsb.

The frontend uses generated API packages such as @imx-modules/imx-api-qbm and @imx-modules/imx-api-qer. These are the main bridge from Angular components/services to API Server endpoints.

Runtime Bootstrap

The Web Portal app configuration sets:

Title: Web Portal
WebAppIdentifier: portal
WebAppIndex: portal
route config:
login route: empty path
start route: dashboard
supported translation languages: en-US, de-DE, de, en

The environment files point the portal to:

clientUrl: https://im.sandbox.local/ApiServer
appName: qer-app-portal

The frontend startup path is:

1. qer-app-portal/src/app/app.service.ts reads the environment and initializes common services.

2. qbm/src/lib/appConfig/appConfig.service.ts loads appconfig.json, creates the base QBM V2Client and ApiClient, and loads API schema metadata.

3. qer/src/lib/qer-api-client.service.ts lazily creates the QER V2Client and typed client using the QBM schema provider and API client.

4. Feature services call generated typed endpoints or lower-level client.* methods.

The important architectural point is that the frontend is schema/API driven. It does not encode SQL behavior directly. Database writes and workflow actions are mediated by API Server and the OneIM object layer.

Web Portal Functional Areas

The portal README and app module show these major user-facing areas:

Requests and IT Shop shopping cart.
Approval tasks and inquiries.
Request history and archived requests.
Data Explorer and My Responsibilities.
Identity/profile/delegation views.
Service item, service category, product bundle, resource, role, risk, and request configuration editors.
Attestation, policy, compliance, reports, statistics, source detective, and queue status modules depending on installed libraries.

qer-app-portal/src/app/app.module.ts wires the app by importing many QBM/QER modules, including NewRequestModule, ProductSelectionModule, ShoppingCartModule, ApprovalsModule, RequestHistoryModule, ArchivedRequestsModule, ServiceCategoriesModule, ServiceItemsEditModule, ItshopPatternModule, MyResponsibilitiesViewModule, DataExplorerViewModule, and QueueStatusComponent.

IT Shop Frontend Flow

The IT Shop documentation under projects\qer\additionalDocumentation\it-shop.md describes the request path as:

1. NewRequestComponent starts the request lifecycle.

2. Product discovery is split across:

NewRequestProductComponent: products by service category.
NewRequestPeerGroupComponent: recommended products/org structures from peer group context.
NewRequestReferenceUserComponent: service items/org structures from a reference user.
NewRequestProductBundleComponent: bundles.

3. Request parameters are transformed by ParameterDataService and edited by CartItemEditComponent.

4. ShoppingCartComponent lets the user validate, edit, delete, save for later, and submit cart items.

5. ApprovalsComponent and InquiriesComponent handle approval and inquiry work.

6. RequestHistoryComponent plus RequestActionService handles request history and user actions.

7. ArchivedRequestsComponent shows archived request data.

8. Setup/admin views edit product bundles, service categories, and service items.

API Endpoint Surface Observed in the Frontend

Important IT Shop and request endpoints surfaced by frontend services:

Product discovery:
PortalShopServiceitems.Get
PortalShopServiceitems.GetSchema
PortalItshopPeergroupMemberships.Get
portal_itshop_requests_parameter_candidates_post
portal_itshop_requests_parameter_candidates_filtertree_post
Shopping cart:
PortalItshopCart.Get
PortalCartitem.Get
PortalCartitem.GetSchema
PortalCartitem.createEntity
PortalCartitem.Post
portal_cart_submit_post
portal_cartitem_delete
portal_cartitem_move_post
portal_itshop_cart_delete
Approvals and inquiries:
PortalItshopApproveRequests.Get
PortalItshopApproveRequests.GetSchema
PortalItshopApproveRequestsInteractive.Get_byid
portal_itshop_approve_requests_datamodel_get
portal_itshop_decide_post
portal_itshop_denydecision_post
portal_itshop_directdecision_post
portal_itshop_escalate_post
portal_itshop_additional_post
portal_itshop_revokeadditional_post
portal_itshop_insteadof_post
portal_itshop_revokedelegation_post
portal_itshop_query_post
portal_itshop_answerquery_post
portal_itshop_recalldecision_post
portal_itshop_recallquery_post
portal_itshop_resetreservation_post
Service categories and service items:
PortalServicecategories.Get
PortalServicecategories.GetSchema
PortalServicecategories.createEntity
portal_servicecategories_delete
PortalServiceitemsTags.Get
portal_serviceitems_tags_add_post
portal_serviceitems_tags_delete

Other portal areas use endpoints such as portal_hyperview_get, portal_statistics_*, PortalSysteminfoThirdparty.Get, and PasswordresetSysteminfoThirdparty.Get.

Correlation to DB Tables

The frontend endpoint names are portal API abstractions, not direct SQL table names. The underlying OneIM concepts still map to familiar database objects.

Observed likely correlations:

Portal / API concept	DB / object-layer concept	Evidence level
`PortalShopServiceitems`	requestable service items, mainly `AccProduct` plus category and IT Shop visibility context	strong frontend + DB concept match
service category UI	`AccProductGroup`	strong
service item editor	`AccProduct`	strong
product/shop/bundle setup	`ITShopOrg`, `ITShopInfo`, `BaseTree`, `BaseTreeHasObject`, entitlement link views/tables	strong from DB evidence
cart item	shopping cart item/request staging, then request workflow; likely `ShoppingCartOrder` and `PersonWantsOrg` during submit	medium; API abstraction requires backend endpoint trace for exact write sequence
approval request	`PersonWantsOrg` request approval state	strong from frontend method names and decompiled customizer methods
attestation approval modules	`AttestationCase` and `AttestationPolicy`	strong from DB/decompile evidence

Live API evidence now upgrades the cart-submit row from medium to strong:

POST /portal/cartitem created ShoppingCartItem d3f6ac6e-d16f-4ec2-bbc4-4e154f753ea9.
POST /portal/cart/submit/a047ce52-cbf4-4a14-bffa-3fc8dd5d08a0 with submit mode 2 returned Submitted = true.
The submit consumed/deleted the cart item and inserted PersonWantsOrg f70d4d0d-2f02-4c39-b157-260bc82c8748.
The request received GenProcID = 0d9a014b-30aa-4c21-bdaa-7b9fa589157a, followed by DialogProcess and JobQueue rows.
Immediate JobQueue evidence showed VI.JobService.JobComponents.HandleObjectComponent / CallMethod.

The existing DB evidence shows that IT Shop availability and product publication still depend on DB structure:

AccProduct represents service items.
AccProductGroup represents service categories, but the sandbox proved it is not strictly mandatory for shop availability.
ITShopOrg nodes model shops, shelves, product nodes, and customer nodes.
ITShopInfo identifies node semantics such as SC, SH, BO, PR, and CU in this sandbox.
BaseTreeHasADSGroup, BaseTreeHasObject, ITShopOrgHasADSGroup, and related entitlement link tables/views connect entitlements, shelves, and product nodes.
QER_PITShopProductNodeCreate_b and ShoppingRack DBQueue processing create product nodes after entitlement publication.

Correlation to Object-Layer Methods and Events

The approval endpoint names closely match decompiled PersonWantsOrg customizer methods. This is the most important relationship between the Web Portal and the previously decompiled project.

Web Portal/API action	Decompiled/customizer method correlation
`portal_itshop_decide_post`	`PersonWantsOrg.MakeDecision`
`portal_itshop_escalate_post`	`PersonWantsOrg.Escalate` / DB event spelling `ESCALATE`
`portal_itshop_denydecision_post`	`PersonWantsOrg.DenyDecision`
`portal_itshop_directdecision_post`	`PersonWantsOrg.DirectDecision`
`portal_itshop_additional_post`	`PersonWantsOrg.AddAdditional`
`portal_itshop_revokeadditional_post`	`PersonWantsOrg.RevokeAdditional`
`portal_itshop_insteadof_post`	`PersonWantsOrg.AddInsteadOf`
`portal_itshop_revokedelegation_post`	`PersonWantsOrg.RevokeDelegation`
`portal_itshop_query_post`	`PersonWantsOrg.QueryToPerson`
`portal_itshop_answerquery_post`	`PersonWantsOrg.AnswerFromPerson`
`portal_itshop_recalldecision_post`	`PersonWantsOrg.RecallDecision`
`portal_itshop_recallquery_post`	`PersonWantsOrg.RecallQuery`
`portal_itshop_resetreservation_post`	`PersonWantsOrg.ResetReservation`
`portal_cart_submit_post`	`OrderShoppingCart`

The decompile index also found other PersonWantsOrg methods relevant to request state changes:

Abort
AbortOrder
Unsubscribe
CancelOrder
SetDecisionStart
Prolongate
Reserve
FillOrder
Replace
Assign
Waiting
PrepareForMethod
MakeDecisionOnInsertAsync
AddHistoryEntry

For IT Shop structure administration, decompiled ITShopOrg methods include:

MoveProductNode
MoveProducts
MoveBoard
MoveShop
DeleteBoard

These methods are gated by ITShopInfo semantics and should not be treated as generic row updates.

Correlation to DBQueue and QBM_PJobCreate

The Web Portal calls API Server, not stored procedures directly. The stored procedure relationship appears one layer deeper:

1. Portal Angular service calls a generated API Server endpoint.

2. API Server uses generated schema/object-layer endpoints.

3. Object-layer methods and events apply request, approval, attestation, or IT Shop logic.

4. DB triggers/procedures enqueue DBQueue tasks or create jobs when asynchronous database or process work is required.

Existing research found:

DialogMethod is only the UI-visible method catalog. Decompiled customizer classes expose more callable methods than DialogMethod alone.
QBM_PJobCreate_HOCallMethod* is used when SQL has to delegate object-layer method execution to the Job queue.
QBM_PJobCreate_HOFireEvent* requires proof from QBMEvent plus active JobEventGen / JobChain; a catalog row alone is not proof that useful process work will be generated.
Existing relation index counts:
71 DialogMethod table relations.
353 QBMEvent rows.
400 JobEventGen rows.
337 DBQueue tasks.
918 relevant triggers across 268 tables.
120 extracted HOCallMethod calls.
72 extracted HOFireEvent calls.
6004 extracted DBQueue insert calls.

For IT Shop request and approval workflows, the frontend endpoint names reinforce the previous conclusion: safe workflow execution should happen through API Server/object-layer methods or supported tools, not by directly mutating request-state columns in SQL.

The live cart-submit trace showed this concrete path:

Angular CartItemsService.submit()
  -> generated API method portal_cart_submit_post
  -> API Server /portal/cart/submit/{uidcart}
  -> object-layer cart submit behavior
  -> PersonWantsOrg insert
  -> DialogProcess rows by GenProcID
  -> JobQueue HandleObjectComponent/CallMethod

The trace also confirms that submit validation is enforced before request creation. A controlled attempt to submit Delete Active Directory group without its required Active Directory group to delete parameter returned HasInvalidParameters = true, HasErrors = true, and Submitted = false.

Practical Guidance

Use the Web Portal/API Server path for workflow actions:

Submit requests through cart/API behavior, not direct inserts into request-state tables.
Approve, deny, escalate, query, and recall through API/object-layer methods because the customizer methods update state, history, permissions, and downstream process generation together.
Treat PersonWantsOrg methods as state-machine operations, not simple persistence helpers.

Use DB structure knowledge for publication and diagnostics:

To make an entitlement requestable, validate the entitlement flag, AccProduct link, shelf assignment, and product-node creation path.
For AD groups in the sandbox, the proven minimal publication sequence is still:

1. create/link AccProduct;

2. set ADSGroup.UID_AccProduct;

3. set ADSGroup.IsForITShop = 1;

4. assign the group to a BO shelf through the correct base-tree relation;

5. let ShoppingRack DBQueue create the PR product node.

The portal will only surface what API Server considers requestable for the current person, shelf/category filter, lifecycle state, permissions, and visibility flags.

Use the custom-app project as the safe starting point for custom frontend extensions:

It already shows how to configure appconfig.json, login/start routes, environment clientUrl, and the QBM login/session stack.
Do not bypass AppConfigService, schema loading, or generated typed clients unless there is a specific integration reason.

Known Limits

The API Server backend implementation was not found in C:\Dev\IdentityManager.Imx\imxweb; this tree is the frontend and generated client workspace. The deployed backend is under C:\inetpub\wwwroot\ApiServer.
Exact endpoint-to-table write sequences still require per-endpoint live traces. The cart submit path has now been validated; approval actions still need equivalent traces.
Some names are generated API abstractions, so endpoint names must not be treated as physical DB table names without schema confirmation.

Next Experiments

Trace one approval action (portal_itshop_decide_post) with the same before/after snapshot approach used for cart submit.
Decompile or inspect QER.CompositionApi.dll / QER.CompositionApi.Server.PlugIn.dll in more detail to locate the backend endpoint handler classes for /portal/cart/submit/{uidcart} and approval endpoints.
Extend the generated endpoint map with backend assembly class names once those composition API handlers are identified.
Add a focused GenProcID trace view that joins PersonWantsOrg, DialogProcess, DialogProcessStep, JobQueue, and JobHistory.