Run 2026-04-27 (10)

Focus: tighten “IT Shop availability troubleshooting” around concrete DB joins (BaseTreeAssign → DialogTable) and DBQueue task metadata (QBMDBQueueTask/QBMDBQueueTaskDepend), plus pinpoint shipped sources for “compile database”.

What I did

Live sandbox DB (SELECT-only):
Verified ITShopOrg is a view on BaseTree filtered by UID_OrgRoot='QER-V-ITShopOrg'.
Confirmed BaseTreeAssign table schema and how to resolve it to actual table names via DialogTable.
Queried QBMDBQueueTask and QBMDBQueueTaskDepend for ShoppingRack/PR node refresh behavior.
Re-checked AutoPublish ADSGroup effective evaluation via QBM_FGIConfigparmValue.
Sandbox host (WinRM, read-only):
Located shipped SQL definitions for BaseTreeAssign, QBMDBQueueTask, and QBMDBQueueTaskDepend.
Located shipped QBM_PRecompileAll.sql as a concrete “compile” anchor.
Located MDK helper scripts showing how BaseTreeAssign is inserted/extended and how PR nodes are identified via ITShopInfo='PR'.
Vendor docs:
Collected official docs that explicitly describe AutoPublish + compile + the “what happens” pipeline for adding system entitlements to the IT Shop.

Key findings (sandbox-specific)

BaseTreeAssign does not carry TableName directly; it references DialogTable rows:
BaseTreeAssign.UID_DialogTableElement → DialogTable.UID_DialogTable (e.g. ADS-T-ADSGroup)
BaseTreeAssign.UID_DialogTableMN → MN assignment table (e.g. ADS-T-BaseTreeHasADSGroup)
The PR-node refresh task has explicit metadata and dependencies:
QER-K-ShoppingRackProductNode uses QER_ZITShopCheckMethodPR and a built-in “recalc query” (… where ITShopInfo='PR').
It depends physically on QER-K-AccProductGroupCollection and QER-K-ShoppingRackMethod (via QBMDBQueueTaskDepend).
AutoPublish ADSGroup remains disabled effectively in this sandbox:
QBM_FGIConfigparmValue('QER\\ITShop\\AutoPublish') returns 1
QBM_FGIConfigparmValue('QER\\ITShop\\AutoPublish\\ADSGroup') returns empty (because DialogConfigParm.IsEnabledResulting=0 on the ADSGroup node).

Evidence

Live DB evidence updated:
projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-itshop-autopublish-adsgroup-flags-db-evidence.md (effective values via QBM_FGIConfigparmValue)
projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-itshop-availability-db-evidence.md (task dependencies + PR refresh details)
Sandbox host evidence updated:
projects/identity-management/oim-kb-update/sandbox-host/2026-04-27-itshop-file-hints.md (shipped table defs + MDK helper hits)
KB note updated:
projects/identity-management/knowledge-base/oim-it-shop-structure-and-availability.md (BaseTreeAssign join + DBQueue dependency hints + new doc links)

Vendor docs

IT Shop Admin Guide (9.1.1): “Adding system entitlements automatically to the IT Shop” (Accessed: 2026-04-27)

https://support.oneidentity.com/technical-documents/identity-manager/9.1.1/it-shop-administration-guide/setting-up-an-it-shop-solution/adding-system-entitlements-automatically-to-the-it-shop

IT Shop Admin Guide (9.0 LTS): “Configuration parameters for the IT Shop” (Accessed: 2026-04-27)

https://support.oneidentity.com/technical-documents/identity-manager/9.0%20lts/it-shop-administration-guide/configuration-parameters-for-the-it-shop

One Identity Manager 10.0 Administration Guide for One Identity Active Roles Integration (PDF) (Accessed: 2026-04-27)

https://support-public.cfm.quest.com/82084_one-identity-manager_active-roles-integration_10.0.pdf

Open questions / next experiments

Supported, end-to-end “AD group becomes requestable” in this sandbox still needs a controlled experiment:

1. Enable QER\\ITShop\\AutoPublish\\ADSGroup in Designer.

2. Compile the database.

3. Re-sync a seeded AD group that is not excluded by ExcludeList.

4. Observe creation/updates across: ADSGroup.UID_AccProduct → AccProduct/category assignment → BaseTreeHasADSGroup placement under IT Shop shelves → ShoppingRack task activity.