OIM KB Update — Run 2026-04-27 (3)

Focus: IT Shop availability for AD groups and the DB-backed enforcement mechanisms behind IsForITShop / IsITShopOnly.

What changed in understanding (new findings)

ADSGroup is “IT Shop enabled” as an element type (BaseTreeAssign maps it to BaseTreeHasADSGroup), but in this sandbox:
all 287 ADSGroup rows have IsForITShop=0 and IsITShopOnly=0,
ADSGroup.UID_AccProduct is empty for all rows,
BaseTreeHasADSGroup has rows, but none are in the IT Shop subtree (BaseTree.UID_OrgRoot='QER-V-ITShopOrg').
DialogConfigParm contains QER\ITShop\AutoPublish\ADSGroup, but it is currently disabled (Enabled=0), which explains the observed state.
Flag changes are guarded by triggers and QER helper DB objects:
ADS_TUAdsGroup calls QER_PIsForITShopFlagCheck('AdsGroup', ...) when flags change.
system-role/entitlement assignment triggers use QER_FGIITShopFlagCombineValid(...) to block invalid flag combinations.
Sandbox host evidence: shipped ADS module dump content references QER\ITShop\AutoPublish\ADSGroup\AutoFillDisplayName and ...\ExcludeList via Connection.GetConfigParm(...) (script fragments in StartupContent.xml), and QER migration introduces the root QER\ITShop\AutoPublish parameter with a description of auto-assigning entitlements to the IT Shop.

Sandbox DB evidence: projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-itshop-autopublish-adsgroup-flags-db-evidence.md
Sandbox host evidence (updated): projects/identity-management/oim-kb-update/sandbox-host/2026-04-27-itshop-file-hints.md
KB note updated: projects/identity-management/knowledge-base/oim-it-shop-structure-and-availability.md

1. Supported path to enable QER\ITShop\AutoPublish\ADSGroup (Designer / config param workflow) and observe the resulting DB changes.

2. Once enabled: what exact sequence creates AccProduct + product nodes and populates ADSGroup.UID_AccProduct?

3. Confirm whether AutoFillDisplayName affects AccProduct.Ident_AccProduct or a different display field.