Source: projects/identity-management/oim-kb-update/runs/2026-04-27-9.md
> Source: projects/identity-management/oim-kb-update/runs/2026-04-27-9.md
Run 2026-04-27 (9)
Focus: turn the vague “enable AutoPublish ADSGroup” open question into concrete, DB-backed troubleshooting guidance: which table stores the parameter, how effective evaluation works, and why a simple toggle is not enough (preprocessor/compile requirement).
What I did
- Live sandbox DB (SELECT-only):
- Queried
DialogConfigParmforQER\ITShop\AutoPublish\ADSGroup*and pulled flags (Enabled,IsEnabledResulting,IsPreprocessorCondition) + parent chain. - Verified the DB-side config-value getter (
dbo.QBM_FGIConfigparmValue) and itsIsEnabledResultinggating behavior. - Checked whether any DB modules reference the literal
...AutoPublish\ADSGrouppath (none in this sandbox; usage appears in object-layer scripts / module content instead). - Sandbox host (WinRM, read-only):
- Confirmed shipped ADS module dump + startup content references to
Connection.GetConfigParm("QER\ITShop\AutoPublish\ADSGroup\..."). - Vendor docs:
- Captured the official 10.0 IT Shop Admin Guide PDF section that lists
QER | ITShop | AutoPublish | ADSGroupand notes it is preprocessor relevant and requires a database compile.
Key findings (sandbox-specific)
QER\ITShop\AutoPublish\ADSGroupis a row indbo.DialogConfigParm(PK:UID_ConfigParm), and in this sandbox it is disabled:Enabled=0,Value=1,IsEnabledResulting=0,IsPreprocessorCondition=1- Parent nodes
QER\ITShopandQER\ITShop\AutoPublishare enabled (IsEnabledResulting=1), so the effective disablement is local to the ADSGroup node. - The parameter description (live
DialogConfigParm.Description) explicitly says: changes require recompiling the database. ExcludeListcan beEnabled=1but still not effective: child parameters inherit disablement viaIsEnabledResultingwhen their parent node (...ADSGroup) is disabled.- DB-side evaluation is simple and reproducible:
dbo.QBM_FGIConfigparmValue(@FullPath)returnsValueonly ifIsEnabledResulting=1(otherwise it returns an empty string).
Evidence
- Live DB evidence update:
projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-itshop-autopublish-adsgroup-flags-db-evidence.md(expanded section 3)- Sandbox host evidence update:
projects/identity-management/oim-kb-update/sandbox-host/2026-04-27-itshop-file-hints.md(added concrete line hits)- KB note update:
projects/identity-management/knowledge-base/oim-it-shop-structure-and-availability.md(added preprocessor/compile +IsEnabledResultingmechanics)
Vendor docs
- One Identity Manager 10.0 IT Shop Administration Guide (PDF): https://support-public.cfm.quest.com/82111_one-identity-manager_it-shop-administration_10.0.pdf (Accessed: 2026-04-27)
Open questions / next experiments
- Minimal *supported* end-to-end publish experiment for AD groups in this sandbox:
1. Enable QER\ITShop\AutoPublish\ADSGroup via Designer.
2. Recompile the database (required by the preprocessor-relevant parameter).
3. Ensure the DBQueue Processor is running and observe ShoppingRack tasks.
4. Re-sync / update a seeded AD group that is not matched by ExcludeList.
5. Observe whether OneIM creates ADSGroup.UID_AccProduct, sets ADSGroup.IsForITShop/IsITShopOnly, and places BaseTreeHasADSGroup rows under UID_OrgRoot='QER-V-ITShopOrg'.