Re: Assigning Role to Group

Sree Tummidi

Yes, we do plan on mapping ORG & Space Roles to Groups in LDAP or via SAML.
At this time , the only scope that can be mapped is cloud_controller.admin
as its defined as an OAuth scope for Cloud Controller.


On Thu, Jul 23, 2015 at 5:48 AM, Zakharov Alexey <
alexey.zakharov(a)> wrote:

Is there any plans to implement ORGs to LDAP groups binding later?
When I list group mappings, I can see a default mapping, which forces me
to think you are planning to do something like that:

$ uaac group mappings
organizations.acme: cn=test_org,ou=people,o=springsource,o=org

Alexey Zakharov | CloudFoundry Team | Altoros
Tel: (617) 841-2121 ext. 5704 | Toll free: 855-ALTOROS
Fax: (866) 201-3646 | Skype: alexey.zakharov.a | |

On Jul 22, 2015, at 18:05, Filip Hanik <fhanik(a)> wrote:

To elaborate a bit more, at this time the cloud controller maintains its
own roles and ACLs in the CC database.


On Wednesday, July 22, 2015, Sree Tummidi <stummidi(a)> wrote:

This support is not yet available


Sent from my iPad

On Jul 22, 2015, at 4:35 AM, Daniel Mikusa <dmikusa(a)> wrote:

On Wed, Jul 22, 2015 at 3:27 AM, Zakharov Alexey <
alexey.zakharov(a)> wrote:

>* Hi guys!
*>* Sorry if my question is newbie or it was discussed before.
*>* I want to use LDAP for users authentication/authorisation. And I’ve
*>* successfully bound CF to LDAP, and managed to configure uaac group mappings.
*>* But then I realised, that there are no way to assign a Role to that group.
*>* 'cf set-org-role’ accepts only usernames as parameter, but not groups. I
*>* think assigning Developer role to group is more flexible than assigning is
*>* to every particular user.
*>* Are you going to add this feature later? Or maybe there is an another way
*>* to do group binding?
Have you looked at the `uaac` tool? I'm not quite sure I understand what
you're trying to do, but you can map an LDAP group DN to a UAA group with
`uaac`. Then if a user in that LDAP group logs in, they'll have that uaa
group. Is that what you're looking to do?


uaac group map --name cloud_controller.admin "GROUP-DISTINGUISHED-NAME"

Or are you asking about mapping LDAP groups to CF org & space roles? i.e.
user in ldap group X is automatically given the OrgManager role in org Y.


Hi Dan!

Yes, as I’ve stated before, I’ve already managed to configure group mappings using ‘uaac group map’.

And now I want to bind group members to Organizations and Spaces. Is it possible to do?

Sorry, missed that in your original post. Last I heard no you couldn't
do this mapping, but that was a while ago though. Maybe someone on the
Identity team could confirm.


cf-dev mailing list

cf-dev mailing list

cf-dev mailing list

Join { to automatically receive all group messages.