This has been a long requested feature.
We've recently started to have more active conversations about this between
CAPI and UAA teams and we hope to be able to share a proposal addressing
this once an approach has been agreed on in the next month or two.

-Dieu
CF Runtime PMC Lead

On Sun, Feb 19, 2017 at 4:33 AM, Alexander Lomov <
alexander.lomov(a)altoros.com> wrote:

Hey, Mark.

At the moment there is no way to control access to org or spaces using UAA
scopes.

You can find list of currently available UAA scopes here [1]. To control
org or spaces access you need something like zone id for org or space, but
I don’t know the way to create such binding right now. I suppose the
feature development is in progress.

Since you added UAA-LDAP integration, you can log in with LDAP user. After
that you can control user access by CF roles [2] and this process does not
involve UAA.

We also use cf-mgmt tool [3] to automate LDAP user binding with org/spaces
on some of our projects. You may find it useful.

Best wishes,
Alex L.

[1] https://docs.cloudfoundry.org/concepts/architecture/uaa.html#scopes
[2] https://docs.cloudfoundry.org/concepts/roles.html
[3] https://github.com/pivotalservices/cf-mgmt

On Feb 18, 2017, at 6:19 PM, Mark Coumounduros <mcoumounduros(a)gmail.com>
wrote:

Hey All,

I recently updated a Cloud Foundation to map CC admin permission to LDAP
via this UAAC command:

uaac group map --name cloud_controller.admin "GROUP-DISTINGUISHED-NAME"

I now just want to fine tune LDAP permission to specific ORGs and/or
Spaces. Is this possible, if so, how?