Re: Mapping ORGs and Space permissions via LDAP


Alexander Lomov <alexander.lomov@...>
 

Hey, Mark.

At the moment there is no way to control access to org or spaces using UAA scopes.

You can find list of currently available UAA scopes here [1]. To control org or spaces access you need something like zone id for org or space, but I don’t know the way to create such binding right now. I suppose the feature development is in progress.

Since you added UAA-LDAP integration, you can log in with LDAP user. After that you can control user access by CF roles [2] and this process does not involve UAA.

We also use cf-mgmt tool [3] to automate LDAP user binding with org/spaces on some of our projects. You may find it useful.

Best wishes,
Alex L.

[1] https://docs.cloudfoundry.org/concepts/architecture/uaa.html#scopes <https://docs.cloudfoundry.org/concepts/architecture/uaa.html#scopes>
[2] https://docs.cloudfoundry.org/concepts/roles.html <https://docs.cloudfoundry.org/concepts/roles.html>
[3] https://github.com/pivotalservices/cf-mgmt <https://github.com/pivotalservices/cf-mgmt>

On Feb 18, 2017, at 6:19 PM, Mark Coumounduros <mcoumounduros(a)gmail.com> wrote:

Hey All,

I recently updated a Cloud Foundation to map CC admin permission to LDAP via this UAAC command:

uaac group map --name cloud_controller.admin "GROUP-DISTINGUISHED-NAME"

I now just want to fine tune LDAP permission to specific ORGs and/or Spaces. Is this possible, if so, how?

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.