Source: projects/identity-management/oim-kb-update/runs/2026-04-27-5.md

> Source: projects/identity-management/oim-kb-update/runs/2026-04-27-5.md

OIM KB Update — Run 2026-04-27 (5)

Focus: concrete DB-backed wiring for IT Shop product-node creation and placement:

• how BaseTreeAssign maps entitlement types to BaseTreeHas<type> relation tables,
• what QER_PITShopProductNodeCreate_b actually does (PR node creation path),
• how AccProduct changes feed into ShoppingRack refresh tasks,
• cross-check with shipped module SQL (C:\Dev\OneIdentityManager.10.0\Modules\...) and vendor docs.

No sandbox mutations were performed in this run (SELECT-only DB work + WinRM file inspection).

What changed in understanding (new findings)

• BaseTreeAssign is the authoritative “IT Shop enabled types” registry:
• IsITShopEnabled=1 rows show which entitlement tables can participate (e.g. ADSGroup, ESet, QERReuse, …).
• It also tells you the relation (MN) table used for shelf assignments (e.g. ADSGroup → BaseTreeHasADSGroup).
• QER_PITShopProductNodeCreate_b describes the product-node creation mechanism in this sandbox:
• It derives the right table + MN table from BaseTreeAssign and dialog metadata.
• It checks whether an entitlement is assigned to the BO shelf (row in BaseTreeHas<type> with UID_Org=<BO shelf UID>).
• If assigned, it creates a PR node under that shelf (BaseTree.ITShopInfo='PR') and also creates BaseTreeHasObject for the PR node + entitlement ObjectKey.
• It updates ITShopOrg.UID_AccProduct via QBM_PJobCreate_HOUpdate based on UID_ACCProduct read from the entitlement record (e.g. ADSGroup.UID_AccProduct).
• It does not reference AccProductInBaseTree, which supports the “legacy/unused mapping table” hypothesis for this sandbox.
• QER_TUAccProduct (trigger on AccProduct) enqueues QER-K-ShoppingRackProductNode tasks when product approval/category metadata changes:
• update(UID_PWODecisionMethod) → enqueue refresh for all BaseTree rows where BaseTree.UID_AccProduct matches.
• update(UID_AccProductGroup) → enqueue refresh similarly.
• Shipped install media (sandbox host) matches the live DB behavior:
• C:\Dev\OneIdentityManager.10.0\Modules\QER\database\MSSQL\040Procedures\ITShop\QER_PITShopProductNodeCreate.sql contains the BaseTreeAssign join + PR node + BaseTreeHasObject logic.
• C:\Dev\OneIdentityManager.10.0\Modules\ADS\database\MSSQL\Dump\StartupContent.xml references QER\ITShop\AutoPublish\ADSGroup\AutoFillDisplayName and uses UID_AccProduct (if present) to derive a display name for the AD group’s service item.

Evidence notes updated

• Live DB evidence (updated): projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-itshop-availability-db-evidence.md
• Sandbox host evidence (updated): projects/identity-management/oim-kb-update/sandbox-host/2026-04-27-itshop-file-hints.md
• Knowledge base note (updated): projects/identity-management/knowledge-base/oim-it-shop-structure-and-availability.md

Next questions / experiments

1. Supported-path validation: after AD sync brings OU=OIM-Managed groups into ADSGroup, enable QER\ITShop\AutoPublish\ADSGroup (Designer/UI/API) and observe:

• first changes to ADSGroup.UID_AccProduct,
• whether BaseTreeHasADSGroup rows appear under UID_OrgRoot='QER-V-ITShopOrg' (BO shelves),
• whether PR nodes are created and UID_AccProduct is set on those nodes.

2. Reconcile the empty AccProductInBaseTree table:

• confirm it is legacy/unused by design in this environment, or identify the missing job/proc that would populate it in other configurations.