Source: projects/identity-management/oim-kb-update/runs/2026-04-27-7.md

> Source: projects/identity-management/oim-kb-update/runs/2026-04-27-7.md

OIM KB Update — Run 2026-04-27 (7)

Focus: verify (a) AccProduct.IsToHideFromITShop behavior/usage, and (b) whether AccProductGroup is required for shop availability in this sandbox; plus capture the DB shape of QER\ITShop\AutoPublish\ADSGroup configuration parameters.

Live sandbox DB observations (SELECT-only)

1) AccProduct.IsToHideFromITShop is currently unused in this sandbox

Query:

SELECT IsToHideFromITShop, COUNT(*) AS Cnt
FROM AccProduct
GROUP BY IsToHideFromITShop
ORDER BY IsToHideFromITShop;

Result:

{"_v":1,"database":"OIM","dbName":"OneIM","connectionMode":"Local","kind":"reader","durationMs":59,"rowsAffected":null,"rowCount":1,"rows":{"IsToHideFromITShop":false,"Cnt":20},"preSnapshot":null,"postSnapshot":null,"committed":null}

Additional DB-side evidence:

• Searching sys.sql_modules for IsToHideFromITShop returns only a generated trigger/table-def artifact; QER_TUAccProduct does not mention this column (so no obvious DBQueue refresh on hide-flag changes).

2) Service categories (AccProductGroup) are not required for PR product nodes

Query (PR nodes under QER-V-ITShopOrg):

SELECT
  SUM(CASE WHEN a.IsToHideFromITShop = 1 THEN 1 ELSE 0 END) AS HiddenProductNodes,
  SUM(CASE WHEN a.UID_AccProductGroup IS NULL THEN 1 ELSE 0 END) AS ProductNodesWithoutCategory,
  COUNT(*) AS TotalProductNodes
FROM BaseTree b
JOIN AccProduct a ON a.UID_AccProduct = b.UID_AccProduct
WHERE b.UID_OrgRoot = 'QER-V-ITShopOrg'
  AND b.ITShopInfo = 'PR';

Result:

{"_v":1,"database":"OIM","dbName":"OneIM","connectionMode":"Local","kind":"reader","durationMs":43,"rowsAffected":null,"rowCount":1,"rows":{"HiddenProductNodes":0,"ProductNodesWithoutCategory":7,"TotalProductNodes":16},"preSnapshot":null,"postSnapshot":null,"committed":null}

Interpretation (sandbox-specific): AccProductGroup is currently a grouping/catalog concept, not a hard prerequisite for product-node existence in the IT Shop tree.

3) AutoPublish ADSGroup config parameters live in DialogConfigParm (and show why no AD groups are auto-published)

AutoPublish ADSGroup rows:

SELECT TOP 10 FullPath, Value, Enabled, IsCrypted, DisplayName, UID_ParentConfigparm
FROM DialogConfigParm
WHERE FullPath LIKE 'QER\ITShop\AutoPublish\ADSGroup%'
ORDER BY FullPath;

Result:

{"_v":1,"database":"OIM","dbName":"OneIM","connectionMode":"Local","kind":"reader","durationMs":43,"rowsAffected":null,"rowCount":3,"rows":[{"FullPath":"QER\\ITShop\\AutoPublish\\ADSGroup","Value":"1","Enabled":false,"IsCrypted":false,"DisplayName":"Active Directory groups","UID_ParentConfigparm":"QER-50F919687701574E9C828808EF5608D8"},{"FullPath":"QER\\ITShop\\AutoPublish\\ADSGroup\\AutoFillDisplayName","Value":"1","Enabled":false,"IsCrypted":false,"DisplayName":null,"UID_ParentConfigparm":"ADS-49E68B01EF4EBD4C8686955F11DE1DC2"},{"FullPath":"QER\\ITShop\\AutoPublish\\ADSGroup\\ExcludeList","Value":".*Administrator.*|Exchange.*|.*Admins|.*Operators|IIS_IUSRS","Enabled":true,"IsCrypted":false,"DisplayName":"Exclude list for Active Directory groups","UID_ParentConfigparm":"ADS-49E68B01EF4EBD4C8686955F11DE1DC2"}],"preSnapshot":null,"postSnapshot":null,"committed":null}

Root enablement state:

SELECT FullPath, Value, Enabled
FROM DialogConfigParm
WHERE FullPath IN ('QER\ITShop\AutoPublish','QER\ITShop','QER')
ORDER BY FullPath;

{"_v":1,"database":"OIM","dbName":"OneIM","connectionMode":"Local","kind":"reader","durationMs":42,"rowsAffected":null,"rowCount":3,"rows":[{"FullPath":"QER","Value":"1","Enabled":true},{"FullPath":"QER\\ITShop","Value":"1","Enabled":true},{"FullPath":"QER\\ITShop\\AutoPublish","Value":"1","Enabled":true}],"preSnapshot":null,"postSnapshot":null,"committed":null}

Sandbox host evidence (MDK/SDK + installed product media)

• Installed product dumps and generated scripts reference IsToHideFromITShop as a first-class schema element (e.g. ...\\Dump\\ModuleContent.xml, ...\\Dump\\StartupContent.xml, ...\\Generate\\00000000QERTableDef.sql, ...\\Migration\\V90\\2022.0004.0012.0000.sql).
• Module dumps also include “where clause” snippets that explicitly reason about empty UID_AccProductGroup (suggesting UI or collection logic might treat “no category” as a first-class case).

Details are appended to sandbox-host/2026-04-27-itshop-file-hints.md.

Vendor docs (official) — links to verify against

• One Identity Manager 10.0 IT Shop Administration Guide (PDF) includes the IT Shop AutoPublish config parameters list (including QER | ITShop | AutoPublish | ADSGroup). Source: https://support-public.cfm.quest.com/82111_one-identity-manager_it-shop-administration_10.0.pdf (Accessed: 2026-04-27)

Next questions / experiments

1. Confirm portal behavior of AccProduct.IsToHideFromITShop:

• In this sandbox no products are currently hidden (IsToHideFromITShop=0 for all rows) and DB-side logic does not reference it, so verification likely requires Web Portal/UI observation (or a controlled sandbox test with explicit rollback).

2. Determine whether “supported” auto-publish of ADSGroup implies:

• setting DialogConfigParm.Enabled=1 for QER\ITShop\AutoPublish\ADSGroup (and optionally AutoFillDisplayName),
• running a compile/DBQueue process step,
• and then observing new AccProduct + ADSGroup.UID_AccProduct + shelf placement (BaseTreeHasADSGroup) + PR node creation.