Re: Mapping ORGs and Space permissions via LDAP

Alexander Lomov <alexander.lomov@...>

Hey, Mark.

At the moment there is no way to control access to org or spaces using UAA scopes.

You can find list of currently available UAA scopes here [1]. To control org or spaces access you need something like zone id for org or space, but I don’t know the way to create such binding right now. I suppose the feature development is in progress.

Since you added UAA-LDAP integration, you can log in with LDAP user. After that you can control user access by CF roles [2] and this process does not involve UAA.

We also use cf-mgmt tool [3] to automate LDAP user binding with org/spaces on some of our projects. You may find it useful.

Best wishes,
Alex L.

[1] <>
[2] <>
[3] <>

On Feb 18, 2017, at 6:19 PM, Mark Coumounduros <mcoumounduros(a)> wrote:

Hey All,

I recently updated a Cloud Foundation to map CC admin permission to LDAP via this UAAC command:

uaac group map --name cloud_controller.admin "GROUP-DISTINGUISHED-NAME"

I now just want to fine tune LDAP permission to specific ORGs and/or Spaces. Is this possible, if so, how?

Join { to automatically receive all group messages.