Source: projects/identity-management/oim-kb-update/sandbox-host/2026-04-27-accproductinbasetree-and-itshop-flag-validation-file-evidence.md

> Source: projects/identity-management/oim-kb-update/sandbox-host/2026-04-27-accproductinbasetree-and-itshop-flag-validation-file-evidence.md

Sandbox Host Evidence — AccProductInBaseTree schema + IT Shop flag validation hooks (2026-04-27)

Scope

Read-only evidence gathered on 2026-04-27 from the sandbox host (im.sandbox.local) via WinRM file inspection:

• shipped DB schema for AccProductInBaseTree,
• shipped relationship metadata for AccProductInBaseTree,
• shipped trigger behavior showing how service-category changes and ADSGroup flag changes cause IT Shop recalculation work.

1) Shipped schema: AccProductInBaseTree exists as a composite-key table

From C:\Dev\OneIdentityManager.10.0\Modules\QER\database\MSSQL\Generate\00000000QERTableDef.sql (lines 62–64):

Create Table AccProductInBaseTree (
  UID_Org varchar(38) NOT NULL,
  UID_AccProduct varchar(38) NOT NULL,
  ...
  XObjectKey varchar(138) NOT NULL,
  ...
  Primary Key (UID_Org, UID_AccProduct)
)

2) Shipped relationship metadata: BaseTree ↔ AccProductInBaseTree ↔ AccProduct

From C:\Dev\OneIdentityManager.10.0\Modules\QER\database\MSSQL\Generate\00000000QERHandleRelation.sql (lines 275–282):

... BaseTree -> AccProductInBaseTree (UID_Org)
... AccProduct -> AccProductInBaseTree (UID_AccProduct)

This shows the mapping is still part of the shipped relational model, even if the sandbox DB currently has AccProductInBaseTree = 0 rows.

3) Shipped trigger: service-category (AccProductGroup) changes enqueue ShoppingRack recalculation

From C:\Dev\OneIdentityManager.10.0\Modules\QER\database\MSSQL\050Triggers\QER_TAccProductGroup.sql (lines 35–43):

if update(UID_PWODecisionMethod) begin
  ... exec QBM_PDBQueueInsert_Bulk 'QER-K-ShoppingRackProductNode', ...
end
if update(UID_AccProductGroupParent) begin
  ... exec QBM_PDBQueueInsert_Bulk 'QER-K-ShoppingRackProductNode', ...
end

Interpretation: in this version, service categories are part of the decision-method fill chain for PR nodes (ShoppingRack refresh), but they are not necessarily required for PR node existence in this sandbox.

4) Shipped trigger: ADSGroup IT Shop flags + product changes

From C:\Dev\OneIdentityManager.10.0\Modules\ADS\database\MSSQL\050Triggers\ADS_TAdsGroup.sql:

• It enforces a hard rule: IsITShopOnly = 1 cannot be combined with “group is primary group” usage.
• It validates IsForITShop / IsITShopOnly changes via QER_PIsForITShopFlagCheck.
• It updates existing PR nodes when ADSGroup.UID_AccProduct changes using QBM_PJobCreate_HOUpdate_B N'ITShopOrg', ....

Local capture

This run saved the extracted line snippets under:

• .tmp/oim-kb-update/2026-04-27-run24/host_tabledef_55_80.txt
• .tmp/oim-kb-update/2026-04-27-run24/host_handlerel_268_290.txt
• .tmp/oim-kb-update/2026-04-27-run24/host_excerpts_itshop.json