Udostępnij za pośrednictwem


How FIM2010 CM & CLM 2007 search for users

  1. User with FIM2010/CLM/ILM management permissions logs on to the CM website, accesses one of the search pages and clicks Search
  2. The CLM Auth Agent service account makes an LDAP query to a DC and retrieves the names of all users matching the search criteria
  3. The FIM code steps through the list that it has obtained from AD and checks if the logged on user has read permissions to each - if so then it is added to the list
  4. Once all users in the list have been checked the filtered list is displayed to the logged on user.

Two things have to be in place for a user to be displayed on the Search Results page when the search operation is performed:

  • the logged on user (i.e. FIM Admin) must have Read Properties permissions on the account(s) being searched for in order for them to be displayed in the search results
  • the CLMAuthAgent account must have sufficient AD permissions and user rights as defined on http://technet.microsoft.com/en-us/library/cc708677(WS.10).aspx

If either of these is missing or incomplete then the list of returned users will be filtered accordingly or an error message returned.

Installing and Configuring CLM 2007 on a Server
http://technet.microsoft.com/en-us/library/cc708677(WS.10).aspx

A hotfix rollup package (build 3.3.1118.02) is available for Identity Lifecycle Manager 2007 Feature Pack 1
http://support.microsoft.com/kb/969742

Comments

  • Anonymous
    January 01, 2003
    This works for Authenticated Users by default in a freshly installed domain - in the case where it requires direct permissions then the default ACL's in AD have been modified. One suspicion that I had was that this might be related to domains that have been upgraded all the way from NT 4 (if the ACL's haven't simply been modified at some point) - but I didn't investigate this beyond confirming it works this way for a vanilla W2k8 R2 domain.

  • Anonymous
    January 01, 2003
    Good point, I typically use FIM and DC on the same server in test scenarios.

  • Anonymous
    January 01, 2003
    Ingolfur, In your testing, are your domain controller and FIM installation on the same server?  If so, then Auth Users will work via the nesting in PreWindows 2000 Compat Access.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    August 25, 2011
    I have never got this to work for FIM CM 2010 without having to give the Users managing the FIM CM direct read against the users participating. Authenticated users doesn't seem to propogate through and I don't understand why.

  • Anonymous
    August 25, 2011
    Just to clarify. My issue is that when I search for users in FIM CM I currently have to have the give the logged in user specific Read permissions against the AD users I wish to manage.. Are you stating that this should be picked up through Authenticated Users ? I have installed fresh W2k8 R2 domains as test environments but I still seem to get this issue. I must be doing something potentially incorrect when I create the domain?