Source: projects/identity-management/oim-kb-update/sandbox-host/2026-04-27-autopublish-and-preprocessor-gates-file-evidence.md

> Source: projects/identity-management/oim-kb-update/sandbox-host/2026-04-27-autopublish-and-preprocessor-gates-file-evidence.md

Sandbox host evidence — AutoPublish ADSGroup + preprocessor gates in shipped SQL/XML (2026-04-27)

Goal: connect live-DB observations about preprocessor gating and AutoPublish ADSGroup behavior to *shipped* module artifacts on the sandbox host.

Method: WinRM HTTP (5985) read-only inspection on im.sandbox.local, under:

• C:\Dev\OneIdentityManager.10.0\Modules\...
• C:\Dev\OneIM10.0.0-MDK\MDK\...

1) Shipped IT Shop SQL explicitly checks DialogColumn.IsDeactivatedByPreProcessor

File evidence:

• C:\Dev\OneIdentityManager.10.0\Modules\QER\database\MSSQL\040Procedures\ITShop\QER_PITShopProductNodeCreate.sql

Relevant lines (approx):

... where s.CreatePRNode = 1 ...
and exists (
  select top 1 1
  from dialogcolumn with (readpast)
  where UID_DialogTable = 'QER-T-ITShopOrg'
    and ColumnName = 'uid_ACCProduct'
    and IsDeactivatedByPreProcessor = 0
)
...
exec QBM_PJobCreate_HOUpdate 'ITShopOrg' ... @p1 = 'uid_ACCProduct' ...

Interpretation:

• Even in shipped procs, IT Shop product-node processing contains explicit “preprocessor deactivation” checks.
• This matches the live-DB trigger observation that ADS_TUAdsGroup also checks DialogColumn.IsDeactivatedByPreProcessor=0 before doing certain IT Shop updates.

2) QER IT Shop module includes the relevant SQL as a build/install unit

File evidence:

• C:\Dev\OneIdentityManager.10.0\Modules\QER\database\MSSQL\040Procedures\ITShop\ITShop.xml

Contains (as <Command Type="SqlFile">...):

• QER_FTMethodForPRNode.sql
• QER_PITShopProductNodeCreate.sql

3) ADS module dump explicitly references AutoPublish ADSGroup config parameters

File evidence:

• C:\Dev\OneIdentityManager.10.0\Modules\ADS\database\MSSQL\Dump\ModuleContent.xml
• C:\Dev\OneIdentityManager.10.0\Modules\ADS\database\MSSQL\Dump\StartupContent.xml

Observed keys/usages:

• QER\ITShop\AutoPublish\ADSGroup
• QER\ITShop\AutoPublish\ADSGroup\ExcludeList
• Connection.GetConfigParm("QER\ITShop\AutoPublish\ADSGroup\ExcludeList")
• StartupContent includes:
• #If ITSHOP Then
• If Connection.GetConfigParm("QER\ITShop\AutoPublish\ADSGroup\AutoFillDisplayName")="1" Then ...

Interpretation:

• Even if the compiled sandbox DB currently has no SQL-module string matches for AutoPublish + ADSGroup, the installed module content clearly models the configuration and contains code paths guarded by the ITSHOP preprocessor define and config parameters.

4) MDK dump demonstrates the broader pattern: generated definitions exclude preprocessor-deactivated columns

File evidence:

• C:\Dev\OneIM10.0.0-MDK\MDK\database\MSSQL\Dump\ModuleContent.xml

Contains patterns like:

• ... not exists (select top 1 1 from DialogColumn c where c.IsDeactivatedByPreProcessor=1 and c.UID_DialogColumn=v.UID_ChildColumn)

Interpretation:

• This reinforces that preprocessor-deactivation is a first-class mechanism in shipped content generation; it is expected that compiled DB behavior can differ materially depending on enabled preprocessor conditions and “compiled” state.

5) Shipped content still references AccProductInBaseTree / AccProductInITShopOrg

File evidence (QER module dump):

• C:\Dev\OneIdentityManager.10.0\Modules\QER\database\MSSQL\Dump\ModuleContent.xml includes identifiers:
• QER-T-AccProductInITShopOrg
• QER-T-AccProductInBaseTree

Relevance:

• This supports the ongoing “legacy vs missing fill job” question: the schema/table/view is shipped in install media even though the sandbox DB currently has AccProductInBaseTree empty.