Hey, Mark.

At the moment there is no way to control access to org or spaces using UAA scopes.

You can find list of currently available UAA scopes here [1]. To control org or spaces access you need something like zone id for org or space, but I don’t know the way to create such binding right now. I suppose the feature development is in progress.

Since you added UAA-LDAP integration, you can log in with LDAP user. After that you can control user access by CF roles [2] and this process does not involve UAA.

We also use cf-mgmt tool [3] to automate LDAP user binding with org/spaces on some of our projects. You may find it useful.

Best wishes,
Alex L.

[1] https://docs.cloudfoundry.org/concepts/architecture/uaa.html#scopes <https://docs.cloudfoundry.org/concepts/architecture/uaa.html#scopes>
[2] https://docs.cloudfoundry.org/concepts/roles.html <https://docs.cloudfoundry.org/concepts/roles.html>
[3] https://github.com/pivotalservices/cf-mgmt <https://github.com/pivotalservices/cf-mgmt>