OIM KB Update — Run 2026-04-27 (14)

Goal

Live sandbox DB (SELECT-only):
Listed ITShopOrgHas* views and BaseTreeHas* link tables.
Enumerated which entitlement tables contain IsForITShop / IsITShopOnly (and where AccProduct.IsToHideFromITShop lives).
Counted how many BaseTreeHasADSGroup / BaseTreeHasESet / BaseTreeHasQERReuse rows currently point into the IT Shop subtree.
Sandbox host (WinRM read-only):
Confirmed BaseTreeHasESet / ITShopOrgHasESet are shipped in QER module content dumps (no AutoPublish ESet parameter hit in the scanned files).

DB shape: “IT Shop availability” is not just the entitlement flags. The placement into the shop structure is modeled with BaseTreeHas<type> link tables, exposed as ITShopOrgHas<type> views.
System roles are first-class IT Shop candidates: ESet has IsForITShop/IsITShopOnly, and the schema ships BaseTreeHasESet + ITShopOrgHasESet.
Current sandbox state: the IT Shop structure is populated with QERReuse placements (BaseTreeHasQERReuse = 10 in subtree), but no ADSGroup or ESet placements exist in QER-V-ITShopOrg yet (both 0).

Live DB: projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-itshop-entitlement-link-tables-db-evidence.md
Host artifacts (existing, updated earlier today): projects/identity-management/oim-kb-update/sandbox-host/2026-04-27-itshop-file-hints.md

What is the smallest supported UI/API operation that creates BaseTreeHasADSGroup and/or BaseTreeHasESet rows (or otherwise results in new PR nodes) after enabling AutoPublish for the entitlement type?
Does OneIM create BaseTreeHas<type> links directly on BO shelves, or only on PR product nodes, and then derive the product nodes via DBQueue?