Source: projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-ad-shop-itshop-publication.md
> Source: projects/identity-management/oim-kb-update/sandbox-db/2026-04-27-ad-shop-itshop-publication.md
AD Shop Seed - IT Shop Publication Result
Summary
The 97 fictional AD entitlement groups from ad-shop-catalog.json were already synchronized into ADSGroup.
They were published into the One Identity Manager IT Shop as requestable products on 2026-04-27.
Publication used the researched direct DB sequence because this sandbox task was a controlled bulk research update:
1. Create one AccProduct service item per synced ADSGroup.
2. Assign each service item to one of the four sandbox AccProductGroup service categories.
3. Set the AD membership approval policy on the service items, service categories, and BO shelves.
4. Link each ADSGroup to its service item through ADSGroup.UID_AccProduct.
5. Set ADSGroup.IsForITShop = 1 and ADSGroup.IsITShopOnly = 0.
6. Assign each group to the correct BO shelf through BaseTreeHasADSGroup using the ITShopOrgHasADSGroup object-key discriminator.
7. Let the DBQueue/product-node processing create the resulting ITShopOrg PR nodes.
Generated SQL
- Builder:
scripts/research/Build-OimAdShopItShopPublishSql.ps1 - Generated SQL:
projects/identity-management/ad-shop-seeding/output/publish-ad-groups-itshop.sql - Catalog source:
projects/identity-management/ad-shop-seeding/data/ad-shop-catalog.json - Marker:
[OIM-SANDBOX-SEED:ad-shop-seeding:v1]
Approval Policy
The publication used the predefined AD policy:
| UID_PWODecisionMethod | Ident_PWODecisionMethod |
|---|---|
ADS-625C7339178444AD9FBC0A8A7EC3901B | Approval of AD group membership requests |
This policy was written to:
- all 97 created
AccProductrows, - the four sandbox
AccProductGroupservice categories, - the four sandbox
ITShopOrgBO shelves through their underlyingBaseTreerows.
Service Catalog Mapping
| Catalog slice | Count | Service category / BO shelf |
|---|---|---|
Application tier groups APP_* | 75 | Sandbox Applications |
Business-role marker groups BR_* | 9 | Sandbox Business Roles |
System-role placeholder groups SR_* | 10 | Sandbox System Role Bundles |
Distribution-list-shaped groups DL_* | 3 | Sandbox Distribution Lists |
Mutation Audit Snapshot
The mutation was executed through scripts/sandbox/Invoke-SandboxSql.ps1 with -DmlMode,
-IUnderstandDirectOimDml, -Reason, and -VerifyQuery, wrapped in the sandbox lock.
Pre/post snapshot:
| Check | Before | After |
|---|---|---|
Catalog-backed AccProduct rows | 0 | 97 |
| IT Shop enabled AD groups | 0 | 97 |
Groups with IsITShopOnly = 0 | 0 | 97 |
| Products with AD membership approval policy | 0 | 97 |
| Sandbox categories with approval policy | 0 | 4 |
| Sandbox shelves with approval policy | 0 | 4 |
Shelf assignments through BaseTreeHasADSGroup | 0 | 97 |
| Product nodes inside transaction snapshot | 0 | 0 |
Follow-up verification after DBQueue/product-node processing:
| Shelf | Product nodes |
|---|---|
| Sandbox Applications | 75 |
| Sandbox Business Roles | 9 |
| Sandbox Distribution Lists | 3 |
| Sandbox System Role Bundles | 10 |
Total PR nodes: 97.
QBMDBQueueCurrent showed no pending rows for QER-K-OrgAutoChild or
QER-K-ShoppingRackProductNode after the product-node verification.
Object-Key Detail
For IT Shop AD-group shelf assignments, the physical row is in BaseTreeHasADSGroup, but the
object-layer/table discriminator should be the view-table assignment:
<Key><T>ITShopOrgHasADSGroup</T><P>{UID_ADSGroup}</P><P>{UID_ITShopOrg}</P></Key>This differs from generic BaseTreeHasADSGroup examples and from non-IT-Shop view-table assignments
such as DepartmentHasADSGroup or OrgHasADSGroup.
Sample Verification Row
Example result after publication:
| Shelf | Product node | ArticleCode / SAMAccountName | Flags | Approval policy |
|---|---|---|---|---|
| Sandbox Applications | Atlas Office - Read-only | APP_ATLAS_READER | IsForITShop=1, IsITShopOnly=0 | Approval of AD group membership requests |
Modeling Notes
IsITShopOnlywas intentionally kept0. These fictional AD groups are requestable in IT Shop, but v1 does not prohibit non-IT-Shop assignment paths.SR_*entries remain direct AD placeholder products. The preferred later model is nativeESetsystem roles that bundle the included AD groups.- Distribution-list-shaped
DL_*entries remain Global Security groups in v1 and are not mail-enabled. - The live v10 sandbox
AccProducttable does not contain aServiceItemcolumn; service-item identity is represented throughIdent_AccProduct, category, article/order code, description, and metadata fields.