Source: projects/identity-management/oim-kb-update/runs/2026-04-27-27.md

> Source: projects/identity-management/oim-kb-update/runs/2026-04-27-27.md

OIM KB Update — Run 2026-04-27 (27)

Goal

Close a concrete troubleshooting gap: explain why ITShopOrgHasADSGroup / BaseTreeHasADSGroup often shows “double” rows per published AD group, and document the precise DB link semantics between:

• ADSGroup (entitlement)
• AccProduct (service item)
• BaseTree / ITShopOrg PR nodes
• BaseTreeHasADSGroup (placement + PR-link)
• BaseTreeHasObject (PR node ↔ entitlement object key)

Sandbox DB (live evidence)

Evidence note (SELECT-only):

• projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-basetreehasadsgroup-pr-links-and-basetreehasobject-evidence.md

Key findings (snapshot 2026-04-27):

• dbo.ITShopOrgHasADSGroup filters only by “node is inside IT Shop subtree” (UID_OrgRoot='QER-V-ITShopOrg') and does not filter by ITShopInfo.
• In this sandbox, published AD groups typically have two BaseTreeHasADSGroup rows inside the IT Shop subtree:
• BO shelf assignment (BaseTree.ITShopInfo='BO')
• PR node link (BaseTree.ITShopInfo='PR') after ShoppingRack/ProductNode creation
• The “generic” PR node ↔ entitlement link is stored in BaseTreeHasObject:
• BaseTreeHasObject.ObjectKey = ADSGroup.XObjectKey (<Key><T>ADSGroup</T><P>...</P></Key>)
• BaseTreeHasObject.UID_Org = PR node UID_Org
• Seeded catalog completeness: 97/97 ad-shop-seeding groups have BO shelf links, PR node links, PR nodes, and BaseTreeHasObject links.

Sandbox host (shipped SQL evidence)

Evidence note (WinRM HTTP 5985, read-only excerpts):

• projects/identity-management/oim-kb-update/sandbox-host/2026-04-27-adsgroup-basetreehasobject-shipped-sql-evidence.md

Key artifacts (installed under C:\Dev\OneIdentityManager.10.0\Modules\ADS\database\MSSQL):

• 050Triggers\ADS_TBaseTreeHasADSGroup.sql (insert trigger blocks invalid IT Shop flag combinations; enqueues follow-up work)
• 040Procedures\ADS_ZBaseTreeHasObject.sql (DBQueue task that derives BaseTreeHasObject from effective BaseTreeHasADSGroup assignments)

Vendor docs cross-check (web)

These docs describe the *conceptual* IT Shop operations (“assigning products to shelves”, service categories, etc.) but do not expose the internal table-level implementation.

• One Identity Manager 10.0 IT Shop Administration Guide (PDF). Accessed 2026-04-27.

Source: https://support.oneidentity.com/it-it/download/downloads?id=6144476

• Identity Manager 9.1.1 IT Shop Administration Guide (online page: assigning roles to service items). Accessed 2026-04-27.

Source: https://support.oneidentity.com/technical-documents/identity-manager/9.1.1/it-shop-administration-guide/setting-up-an-it-shop-solution/preparing-products-for-requesting/entering-service-items/assigning-hierarchical-roles-to-service-items/assigning-business-roles-to-service-items

Knowledge base updates

• Corrected the earlier troubleshooting guidance: ITShopOrgHasADSGroup alone is not sufficient for “BO shelf placement” checks; filter BaseTree.ITShopInfo='BO' to avoid counting PR-links.
• Added explicit evidence reference for the BO-vs-PR BaseTreeHasADSGroup dual-link behavior.

Files updated/added:

• projects/identity-management/knowledge-base/oim-it-shop-structure-and-availability.md
• projects/identity-management/oim-kb-update/README.md
• projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-basetreehasadsgroup-pr-links-and-basetreehasobject-evidence.md
• projects/identity-management/oim-kb-update/sandbox-host/2026-04-27-adsgroup-basetreehasobject-shipped-sql-evidence.md

Open questions

• Do other BaseTreeHas<EntitlementType> tables (e.g., BaseTreeHasESet, BaseTreeHasLDAPGroup) follow the same “BO + PR dual-link” pattern after PR-node creation?
• Which exact ShoppingRack step creates the BaseTreeHasADSGroup PR-link row (and under what conditions would it be missing)?