Source: projects/identity-management/oim-kb-update/sandbox-host/2026-04-27-eset-and-itshop-flagcheck-file-evidence.md

> Source: projects/identity-management/oim-kb-update/sandbox-host/2026-04-27-eset-and-itshop-flagcheck-file-evidence.md

Goal

Find shipped (installed) OneIM 10.0 SQL artifacts on the sandbox host that explain:

• How ESet (system roles) validates IsForITShop / IsITShopOnly
• Which DBQueue tasks are enqueued by ESet / BaseTreeHasESet changes
• Where the generic procedure QER_PIsForITShopFlagCheck lives and what it checks

Access path / constraints

• Host: im.sandbox.local
• Transport: WinRM over HTTP 5985 (credentialed; read-only commands)
• No file changes; only directory listing and reading .sql files.

Evidence (file paths)

RMS triggers (ESet + BaseTreeHasESet)

• C:\Dev\OneIdentityManager.10.0\Modules\RMS\database\MSSQL\050Triggers\RMS_TESet.sql
• Contains trigger RMS_TUESet on ESet (UPDATE).
• Contains trigger RMS_TIESet on ESet (INSERT) that enqueues RMS-K-ESetCollection.
• C:\Dev\OneIdentityManager.10.0\Modules\RMS\database\MSSQL\050Triggers\RMS_TBaseTreeHasESet.sql
• Contains triggers on BaseTreeHasESet (RMS_TIBaseTreeHasESet, RMS_TUBaseTreeHasESet).
• Enqueues RMS-K-BaseTreeHasObject, RMS-K-OrgHasESet, QER-K-OrgAutoChild, RMS-K-PersonHasESet, RMS-K-WorkdeskHasESet (and others depending on affected entitlement table).
• C:\Dev\OneIdentityManager.10.0\Modules\RMS\database\MSSQL\050Triggers\RMS_TESetHasEntitlement.sql
• Contains trigger RMS_TUESetHasEntitlement on ESetHasEntitlement (UPDATE), used for recalculation/propagation.

Generic flag-check procedure (QER)

• C:\Dev\OneIdentityManager.10.0\Modules\QER\database\MSSQL\040Procedures\Base\QER_PIsForITShopFlagCheck.sql
• Implements the generic validation called by multiple entitlement triggers when updating IsForITShop/IsITShopOnly.
• Includes a specific check that joins ESetHasEntitlement + BaseTreeHasESet to prevent switching a resource to “IT Shop only” when it is included in a system role package assigned outside the IT Shop base tree.

Key excerpts (minimal)

RMS_TUESet calls QER_PIsForITShopFlagCheck for ESet

From ...\RMS_TESet.sql (around lines 41–67 in the shipped file):

if update(isForITShop) or update(isITShopOnly) begin
  ... insert into @FlagTest(...)
  exec QER_PIsForITShopFlagCheck 'ESet', @FlagTest
  ...
end

QER_PIsForITShopFlagCheck references BaseTreeHasESet

From ...\QER_PIsForITShopFlagCheck.sql (around lines 92–98 in the shipped file):

... join ESetHasEntitlement ... join BaseTreeHasESet ...
... where ... i.IsITShopOnlyNew = 1 ...
raiserror '#LDS#Change cannot take place because the resource belongs to a package which is assigned to a base tree outside the IT Shop.|'

Why this matters (troubleshooting)

• If an ESet flag update fails, search for:
• trigger-side checks in RMS_TUESet (plus its dynamic entitlement-table checks)
• generic checks in QER_PIsForITShopFlagCheck
• existing ESetHasEntitlement inclusions + BaseTreeHasESet placements of the containing package outside UID_OrgRoot='QER-V-ITShopOrg'.