Re: Granting more privileges to non-admin users

Nicholas Calugar

Hi Bernd,

Unfortunately, we don’t have a better way to delegate registration of
service brokers or creation of organizations at the current time. There is
a long-term goal to allow for dynamic fine-grained access control to Cloud
Controller resources, but this work is not scoped or prioritized to be
worked on.


Nicholas Calugar
Product Manager - Cloud Foundry API
Pivotal Software, Inc.

On January 9, 2017 at 10:05:57 AM, Krannich, Bernd (bernd.krannich(a)

Hi all,

There’s certain CF functionalities that require admin privileges to
configure them using the CF CLI which we would like to delegate to other
internal teams. One example is the registration of service brokers that
should be visible for the entire CF installation. Another one is the
creation of CF organizations and assignment of OrgManagers and quotas.

Of course, none of the above should be available for all users (so the
feature flag user_org_creation doesn’t solve our example #2 above) but
there’s a certain set of users we trust to responsibly use those

On the other hand, we don’t want to hand out Cloud Foundry admin users to
those people because that gives you “all keys to the kingdom”.

Are there any best practices for such scenarios? Of course, one could write
a dedicated self service app with separate authentication but maybe there’s
another/better way.

Thanks in advance,


*Bernd Krannich*

SAP HANA Cloud Platform


Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany

T +49 6227 7-66220, F +49 6227 78-23923, E bernd.krannich(a)

Pflichtangaben/Mandatory Disclosure Statement:

Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige
vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrtümlich
erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine
Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt. Bitte
benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen

This e-mail may contain trade secrets or privileged, undisclosed, or
otherwise confidential information. If you have received this e-mail in
error, you are hereby notified that any review, copying, or distribution of
it is strictly prohibited. Please inform us immediately and destroy the
original transmittal. Thank you for your cooperation.

Join { to automatically receive all group messages.