Source: projects/identity-management/oim-kb-update/runs/2026-04-27-11.md

> Source: projects/identity-management/oim-kb-update/runs/2026-04-27-11.md

OIM KB Update — Run 2026-04-27 (11)

Method

• Sandbox DB: SELECT-only via scripts/sandbox/Invoke-SandboxSql.ps1 (direct TCP SQL).
• Sandbox host: WinRM over HTTP 5985 (read-only file inspection), focused on shipped module dumps + MDK helper SQL.
• No sandbox mutations.

Key findings (new/confirmed)

1) ITShopOrg is a view on BaseTree filtered by UID_OrgRoot='QER-V-ITShopOrg' (confirmed)

• Live DB: dbo.ITShopOrg is a VIEW.
• View tail shows the filter:
• from BaseTree where UID_OrgRoot = 'QER-V-ITShopOrg'

2) IT Shop subtree node codes in this sandbox (confirmed)

• Live DB: in the IT Shop subtree, only ITShopInfo codes SH, BO, CU, PR occur.
• Live DB: PR nodes join to AccProduct via BaseTree.UID_AccProduct.
• Live DB: 7/16 PR nodes reference products with no AccProduct.UID_AccProductGroup (categories not required for PR nodes here).

3) “IT Shop Source” exists but is compiled out via preprocessor ITSHOPSOURCE (new)

Live DB:

• DialogTable.TableName='ITShopSrcHasADSGroup' has PreProcessorCondition='ITSHOPSOURCE' and IsDeactivatedByPreProcessor=1.
• dbo.ITShopSrcHasADSGroup view definition is compiled to where 1 = 0.

Sandbox host evidence:

• ADS StartupContent.xml contains Connection.GetConfigParm("QER\\ITShop\\AutoPublish\\ADSGroup\\AutoFillDisplayName") under #If ITSHOP Then.
• ADS module dump references ADS-T-ITShopSrcHasADSGroup and a job chain named like JobChain_VI_ESS_ITShopSrcHasADSGroup_....

Interpretation (sandbox-specific): this environment has the model components for IT Shop Sources, but the preprocessor condition ITSHOPSOURCE is currently off, so the source views are disabled at compile time.

4) Entitlement-type ↔ placement table mapping is DB-backed (confirmed)

• Live DB: BaseTreeAssign joins to DialogTable and maps entitlement tables to BaseTreeHas<type> MN tables, e.g.:
• ADSGroup → BaseTreeHasADSGroup
• ESet → BaseTreeHasESet
• QERReuse → BaseTreeHasQERReuse

5) MDK helper SQL confirms PR-node semantics via ITShopInfo='PR' (new evidence)

From MDK:

• C:\\Dev\\OneIM10.0.0-MDK\\MDK\\database\\MSSQL\\005Helper\\180DefineQEREntitlementSource.sql
• contains and b.ITShopInfo = 'PR' and joins the PR node to its parent board/shelf.

Primary sources (vendor docs)

• One Identity Manager 9.1.1 IT Shop Administration Guide (PDF) — configuration parameter appendix contains QER | ITShop | AutoPublish | ADSGroup (ExcludeList, AutoFillDisplayName) and notes that changes require database recompilation. Source: https://support-public.cfm.quest.com/68426_OneIM_ITShop_Administration.pdf (Accessed: 2026-04-27)
• One Identity Manager 9.0 LTS IT Shop Administration Guide (PDF) — service categories and AccProductGroup referenced for service-category object-dependent references. Source: https://docs-be.oneidentity.com/bundle/OneIM_9.0LTS_ITShop_Administration/raw/resource/enus/OneIM_9.0LTS_ITShop_Administration.pdf (Accessed: 2026-04-27)

Files updated this run

• projects/identity-management/knowledge-base/oim-it-shop-structure-and-availability.md
• projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-itshop-autopublish-adsgroup-flags-db-evidence.md
• projects/identity-management/oim-kb-update/sandbox-host/2026-04-27-itshop-file-hints.md

Open questions / next experiments

• What is the supported way (Designer/preprocessor + DB compile) to enable ITSHOPSOURCE and what changes become visible (additional views, job chains, UI nodes)?
• Is ITShopSrc* relevant for the intended “entitlement shop availability” goals, or is the primary path in this environment still ITShopOrg* + BaseTreeHas<type>?
• What is the smallest supported path to enable QER\\ITShop\\AutoPublish\\ADSGroup and observe resulting creation of AccProduct + placement into BaseTreeHasADSGroup under the IT Shop subtree?