OIM KB Update — Run 2026-04-27 (28)

Goal

Expand the IT Shop “availability” model beyond ADSGroup by recording:

the complete BaseTreeAssign.IsITShopEnabled=1 inventory (which element tables are IT Shop-enabled)
the observed “BO + PR dual-link” pattern across multiple entitlement types
shipped SQL evidence for *how* ShoppingRack / ProductNodeCheck iterates enabled types and creates/repairs PR nodes

Evidence note (SELECT-only):

projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-it-shop-enabled-types-and-availability-joins-db-evidence.md

Key findings (snapshot 2026-04-27):

BaseTreeAssign lists 13 IT-Shop-enabled element types (e.g., ADSGroup, QERAssign, QERResource, TSBAccountDef, ESet, LDAPGroup, RPSReport, UNSGroupB*).
Many “direct entitlement tables” share the same DB-level availability prerequisites:
IsForITShop=1
UID_AccProduct set
placement rows in BaseTreeHas<Element> inside the IT Shop subtree (filter is implemented by ITShopOrgHas<Element> views).
In this sandbox, requestable objects show the same dual-link semantics inside the IT Shop subtree:
one BaseTreeHas<Element> row for the BO shelf (ITShopInfo='BO')
one BaseTreeHas<Element> row for the PR product node (ITShopInfo='PR')
ITShopOrgHasUNSGroup is a compatibility/union view that re-maps multiple group types (including ADS groups) into a single “UNSGroup” surface (important when reading shipped SQL).

Evidence note (WinRM HTTP 5985, read-only inspection + summarized behavior):

projects/identity-management/oim-kb-update/sandbox-host/2026-04-27-itshop-productnodecheck-and-prnodecreate-shipped-sql-evidence.md

Key artifacts (installed under C:\Dev\OneIdentityManager.10.0\Modules\QER\database\MSSQL\040Procedures\ITShop\):

QER_ZITShopProductNodeCheck.sql (QER_PITShopProductNodeCheck)
iterates **all enabled BaseTreeHas* tables** derived from BaseTreeAssign
calls QER_PITShopProductNodeCreate_b for missing PR nodes
may enqueue QER-K-OrgAutoChild to re-run when limits are hit
QER_PITShopProductNodeCreate.sql
creates PR nodes (BaseTree.ITShopInfo='PR') and sets BaseTree.UID_AccProduct
fills PR-node decision-method data using AccProduct/AccProductGroup/helper-board methods
inserts PR-node BaseTreeHasObject rows (entitlement object key payload)

Expanded the “IT Shop enabled types” section with the full sandbox inventory and a DB evidence pointer.
Updated the product-node section to include the shipped QER_PITShopProductNodeCheck role (dynamic BaseTreeAssign iteration + PR repair).

Files updated/added:

projects/identity-management/knowledge-base/oim-it-shop-structure-and-availability.md
projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-it-shop-enabled-types-and-availability-joins-db-evidence.md
projects/identity-management/oim-kb-update/sandbox-host/2026-04-27-itshop-productnodecheck-and-prnodecreate-shipped-sql-evidence.md

The vendor docs describe the same conceptual mechanism that we observed in shipped SQL and live DB:

“Assigning products to shelves” describes that the DBQueue Processor creates separate product nodes per assigned product, and that QER | ITShop | LimitOfNodeCheck limits how many nodes are processed per run; remaining work is re-queued (default: 500). Accessed: 2026-04-27.

Source: https://support.oneidentity.com/it-it/download/downloads?id=6144476

Cross-check with shipped SQL evidence:

The doc’s mention of QER-K-OrgAutoChild aligns with shipped QER_PITShopProductNodeCheck enqueuing QER-K-OrgAutoChild when limits are hit (see sandbox-host/2026-04-27-itshop-productnodecheck-and-prnodecreate-shipped-sql-evidence.md).