Binding Application Security Groups by organization admin

[kinjelom]

Issue

My goal is to create definition of a security group as a CF admin and let an organization admin bind them to his spaces. For example, there are 2 orgs: orgA and orgB and 4 user-provided-services:

• orgA-dbProd
• orgA-dbDev
• orgB-dbProd
• orgB-dbDev

I want to create them as the CF admin :

# orgA
cf create-security-group orgA-dbProd ./orgA-dbProd.json
cf create-security-group orgA-dbDev ./orgA-dbDev.json
# orgB
cf create-security-group orgB-dbProd ./orgB-dbProd.json
cf create-security-group orgB-dbDev ./orgB-dbDev.json

and give the org admins rights to bind them to the org spaces:

# orgA
cf allow-bind-security-group orgA-dbProd orgA
cf allow-bind-security-group orgA-dbDev orgA
# orgB
cf allow-bind-security-group orgB-dbProd orgB
cf allow-bind-security-group orgB-dbDev orgB

and now the CF admin should be able to bind them to the selected spaces.

Context

As the CF admin I don't want to have knowledge about org spaces configuration. My responsibility is to configure org-level and let org-admin do his config.

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/168480381

The labels on this github issue will be updated when the story is started.

[cwlbraa]

@ssisil & @Gerg any thoughts here? Security groups are somewhere in VAT's backlog for v3ification, but I don't know how much we've thought about something like allow-bind-security-group.

[Gerg]

This flow reminds me of isolation segments. Isolation segments are admin-managed, but can be entitled to organizations, which then allows org-level configuration.