How FIM2010 CM & CLM 2007 search for users

  1. User with FIM2010/CLM/ILM management permissions logs on to the CM website, accesses one of the search pages and clicks Search
  2. The CLM Auth Agent service account makes an LDAP query to a DC and retrieves the names of all users matching the search criteria
  3. The FIM code steps through the list that it has obtained from AD and checks if the logged on user has read permissions to each - if so then it is added to the list
  4. Once all users in the list have been checked the filtered list is displayed to the logged on user.

Two things have to be in place for a user to be displayed on the Search Results page when the search operation is performed:

  • the logged on user (i.e. FIM Admin) must have Read Properties permissions on the account(s) being searched for in order for them to be displayed in the search results
  • the CLMAuthAgent account must have sufficient AD permissions and user rights as defined on http://technet.microsoft.com/en-us/library/cc708677(WS.10).aspx

If either of these is missing or incomplete then the list of returned users will be filtered accordingly or an error message returned.

Installing and Configuring CLM 2007 on a Server
http://technet.microsoft.com/en-us/library/cc708677(WS.10).aspx

A hotfix rollup package (build 3.3.1118.02) is available for Identity Lifecycle Manager 2007 Feature Pack 1
http://support.microsoft.com/kb/969742