Source: projects/identity-management/oim-kb-update/runs/2026-04-27-26.md

> Source: projects/identity-management/oim-kb-update/runs/2026-04-27-26.md

OIM KB Update — Run 2026-04-27 (26)

Goal

Deepen IT Shop troubleshooting notes with concrete, database-backed evidence for:

• ITShopInfo validation sources (triggers + procs) and shopping-center semantics (SC).
• QER\ITShop* DialogConfigParm configuration semantics (preprocessor relevance + resulting enablement).
• Current sandbox state for AD-group publication: flags + placement tables + product-node counts.

Sandbox DB (live evidence)

Evidence note (SELECT-only):

• projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-itshopinfo-validation-and-qer-itshop-config-db-evidence.md

Key findings (snapshot 2026-04-27):

• BaseTree IT Shop subtree (UID_OrgRoot='QER-V-ITShopOrg') has ITShopInfo distribution:
• PR: 113, BO: 8, CU: 1, SH: 1.
• QER_TIBaseTree / QER_TUBaseTree contain hard validation via RAISERROR for:
• ITShopInfo only allowed for suitable role classes (QER-V-ITShopOrg, QER-V-ITShopSrc).
• predecessor must exist inside same role class on insert.
• customer-node (CU) update constraints.
• Shopping centers (SC) are a first-class semantic in shipped procedures even when no SC nodes exist:
• QER_PITShop_ShopMove explicitly requires the target node to be ITShopInfo='SC'.
• DialogConfigParm contains 97 QER\ITShop* parameters. Key gates are preprocessor-relevant:
• QER\ITShop → IsPreprocessorCondition=1 + description says DB recompile is required.
• QER\ITShop\AutoPublish\ADSGroup is also preprocessor-relevant and currently disabled (Enabled=0, IsEnabledResulting=0).
• AD groups in this sandbox are nevertheless already published via a manual/seeding path:
• ADSGroup.IsForITShop=1: 97 rows (and exactly 97 rows have ADSGroup.UID_AccProduct set).
• ITShopOrgHasADSGroup: 194 rows (placement in the IT Shop subtree).

Sandbox host (installed media / MDK evidence)

Evidence note (WinRM HTTP 5985, read-only excerpts):

• projects/identity-management/oim-kb-update/sandbox-host/2026-04-27-itshopinfo-and-configparm-file-evidence.md

Key artifacts (installed under C:\Dev\OneIdentityManager.10.0\Modules\QER\database\MSSQL):

• 050Triggers\QER_TBaseTree.sql (IT Shop validation/error strings; insert/update logic)
• 050Triggers\QER_TDialogConfigParm.sql (config parameter trigger surface)
• 040Procedures\ITShop\QER_PITShop_ShopMove.sql (shopping-center move validation)
• 040Procedures\ITShop\QER_ZITShopCheckStructure.sql (structure checks)

Knowledge base updates

• Updated counts and corrected earlier “empty” claims (AD-group flags/placement + PR node counts).
• Added references to the new evidence notes.

Files updated:

• projects/identity-management/knowledge-base/oim-it-shop-structure-and-availability.md

Open questions

• Why is AccProductInBaseTree still empty in this environment while PR nodes exist via BaseTree.ITShopInfo='PR' + BaseTree.UID_AccProduct?
• What is the smallest *supported* (non-direct-DML) sequence to publish a freshly synchronized AD group and observe the full chain (config parm enablement → templates → placement → DBQueue/ShoppingRack)?