OIM KB Update

Scheduled research project for building durable One Identity Manager knowledge, with primary focus on IT Shop structure, shop availability, and the DB objects behind requestable entitlements.

Research Focus

Priority topics:

1. IT Shop structure and hierarchy:

ITShopOrg
ITShopInfo
shop, shelf, product, and customer-node semantics
required predecessor relationships

2. Service items and service categories:

AccProduct
AccProductGroup
required category assignment for shop availability

3. Entitlement availability:

entitlement-specific "IT Shop" flags and assignment tables
what makes an AD group, system role, or other entitlement requestable
required AccProduct links and product-node links

4. DB behavior:

triggers
stored procedures
templates
validation messages and rollback patterns

5. Development and troubleshooting:

safe sandbox DML patterns
Object Browser / Manager equivalents
sync and provisioning diagnosis
common IT Shop misconfiguration symptoms

6. Local product sources:

MDK/SDK material on the sandbox host, especially C:\Dev\OneIM10.0.0-MDK\MDK
installed One Identity Manager binaries and configuration under C:\Dev\OneIdentityManager.10.0
scripts, schema metadata, templates, and examples that explain DB behavior better than public docs alone

Source Priority

For every target question, prefer in this order:

1. Live sandbox DB on im.sandbox.local (authoritative for this environment).

2. OneIM MDK / SDK on the sandbox host, version-matched to the sandbox (C:\Dev\OneIM10.0.0-MDK\MDK, C:\Dev\OneIdentityManager.10.0).

3. Vendor docs (One Identity Manager 10.0 LTS technical documents).

A question is not "answered" until live-DB shape, real row examples, and relevant trigger/constraint definitions are recorded under sandbox-db/.

Open Deltas

Track MDK/SDK ↔ live-DB disagreements here so they don't get lost between runs. (Empty until the first delta is observed.)

Sandbox Rules

The automation may use the sandbox host directly for validation and experiments. Each substantive run should learn from the live sandbox database unless there is a clear reason to skip it; if skipped, note why. Useful DB learning includes schema inspection, existing row comparison, trigger/procedure lookup, validation-error reproduction, and checking how synced AD groups/system roles become requestable.

It may create temporary test rows or changes when useful, but must record what changed and roll back test changes when they break behavior or are only exploratory.

Host-local source paths to inspect through the sandbox helpers when relevant:

C:\Dev\OneIM10.0.0-MDK\MDK
C:\Dev\OneIdentityManager.10.0

Known recovery point:

Full database backup: C:\Dev\OneIM.bak

Do not store credentials in this project. Use the existing sandbox credential helpers and DPAPI cache.

Output Rules

Each run should prefer compact, cumulative notes over noisy logs:

Add or update markdown under this project or projects/identity-management/knowledge-base/.
Cite source URLs and access dates for external sources.
Record live sandbox findings separately from documentation claims.
For DB findings, include table names, important columns, required values, and observed validation errors.
Run brain/scripts/Build-Brain.ps1 after markdown changes.
Add a short coordination journal entry for nontrivial sandbox changes.

Runs

Current Target Questions

✅ Which ITShopOrg.ITShopInfo values are valid for each node type? → SC/SH/BO/PR/CU; trigger enforces allow-list; BG/BT exist in MDK but not in this sandbox.
✅ Which ITShopOrg columns are mandatory for shop, shelf, product, and customer nodes? → Ident_Org, UID_ITShopOrg/UID_Org, UID_OrgRoot, XObjectKey (NOT NULL in BaseTree).
✅ Which AccProduct columns must be populated for a requestable product? → Only UID_AccProduct + XObjectKey (NOT NULL). All others nullable or default 0. Ident_AccProduct and UID_AccProductGroup optional but recommended.
✅ Is AccProduct.UID_AccProductGroup mandatory for shop availability in this sandbox? → No; 7/16 existing PR nodes have products without service categories.
✅ Which entitlement tables contain the IT Shop availability flag for AD groups and system roles? → ADSGroup (IsForITShop, IsITShopOnly); ESet (same); and ~10 other entitlement tables. AccProduct has IsToHideFromITShop (portal-side, default 0, no DB enforcement observed).
✅ Which link tables connect entitlements to AccProduct and ITShopOrg product nodes? → BaseTreeHasADSGroup (ADSGroup ↔ BO shelf); BaseTreeHasObject (PR node ↔ ObjectKey); ITShopOrgHasADSGroup view filters BaseTreeHasADSGroup on IT Shop subtree. AccProductInBaseTree exists but is empty in this sandbox.
✅ Which triggers or stored procedures enforce IT Shop consistency? → QER_TIBaseTree/QER_TUBaseTree (ITShopInfo allow-list, ShoppingRack enqueue); ADS_TUAdsGroup (IsForITShop/uid_accproduct changes); QER_PIsForITShopFlagCheck (flag consistency validation); QER_PITShopProductNodeCreate_b (PR node creation via ShoppingRack DBQueue).
✅ What is the smallest valid SQL/API sequence to make a synced AD group requestable in the IT Shop? → 5 steps: (1) INSERT AccProduct, (2) UPDATE ADSGroup.UID_AccProduct, (3) UPDATE ADSGroup.IsForITShop=1, (4) INSERT BaseTreeHasADSGroup on BO shelf, (5) DBQueue QER-K-ShoppingRackProductNode creates PR node. See sandbox-db/2026-04-27-adsgroup-publish-sequence-db-evidence.md.
✅ Which MDK/SDK examples or shipped metadata files document or imply the correct implementation path? → QER IT Shop procs on sandbox host (e.g. QER_ZITShopCheckStructure.sql, QER_ZITShopCheckMethodPR.sql, QER_FTMethodForPRNode.sql); ADS StartupContent AutoFillDisplayName references; AutoPublish ADSGroup config-param scripts; plus SDK ScriptSamples showing a supported object-layer way to create/remove ITShopOrg shops and customer nodes.
How do shipped OneIM 10 triggers/procs choose between QBM_PDBQueueInsert_Single and QBM_PDBQueueInsert_Bulk, especially for ShoppingRack and IT Shop publish/update flows?
Which QBM_PJobCreate* calls are part of QER_PITShopProductNodeCreate_b / ShoppingRack processing, and which object-layer operations are intentionally delegated from SQL to the Job queue?
✅ Which DialogMethod rows vs object-layer/customizer methods are safe/appropriate to invoke through QBM_PJobCreate_HOCallMethod*, and where are non-DialogMethod customizer methods documented in MDK/SDK material? → DialogMethod is only the UI-visible catalog; decompiled customizer assemblies show broader callable methods such as PersonWantsOrg.MakeDecision, AttestationCase.MakeDecision, AttestationPolicy.PrepareAttestations, and ITShopOrg.MoveBoard. State and method behavior still decide whether a call is valid.
✅ For any proposed QBM_PJobCreate_HOFireEvent* call, which (TableName, EventName) row in QBMEvent and which JobEventGen / JobChain rows prove what process work will be generated? → Check (TableName, EventName) in QBMEvent, active JobEventGen/JobChain, and remember that runtime generation looks for Event_<EventName>; a catalog row alone is not sufficient proof of generated work.
✅ How does a Web Portal cart submit relate to object-layer processing and DB/job tables? → Generated Angular API method portal_cart_submit_post calls /portal/cart/submit/{uidcart}; live submit inserted PersonWantsOrg, recorded DialogProcess, and queued JobQueue HandleObjectComponent/CallMethod under the same GenProcID.
Where is the documented OneIM 10 QBM\DBQueue\MaxSlotsPerTask configuration surfaced in this sandbox, given that the current DialogConfigParm snapshot did not return it?
Which negative QBMDBQueueCurrent.SlotNumber values occur during controlled AD sync, IT Shop publish, and ShoppingRack refresh tests in this OneIM 10 sandbox?