Permalink
Fetching contributors…
Cannot retrieve contributors at this time
135 lines (92 sloc) 5.22 KB
---
title: Managing Access to Service Plans
owner: Core Services
---
<strong><%= modified_date %></strong>
All new service plans from standard brokers are private by default. This means that when adding a new broker, or when adding a new plan to an existing broker's catalog, service plans won't immediately be available to end users. This lets an admin control which service plans are available to end users, and manage limited service availability.
Space-scoped brokers are registered to a specific space, and all users within that space can automatically access the broker's service plans. With space-scoped brokers, service visibility is not managed separately.
## <a id='prerequisites'></a>Prerequisites ###
- CLI v6.4.0
- Cloud Controller API v2.9.0 (cf-release v179)
- Admin user access; the following commands can be run only by an admin user
## <a id='display-access'></a>Display Access to Service Plans ###
The `service-access` CLI command enables an admin to see the current access control setting for every service plan in the marketplace, across all service brokers.
<pre class="terminal">
$ cf service-access
getting service access as admin...
broker: elasticsearch-broker
service plan access orgs
elasticsearch standard limited
broker: p-mysql
service plan access orgs
p-mysql 100mb-dev all
</pre>
The `access` column shows values `all`, `limited`, or `none`, defined as follows:
* `all` - The service plan is available to all users, or _public_.
* `none` - No one can use the service plan; it is _private_.
* `limited` - The plan is available only to users within the orgs listed.
The `-b`, `-e`, and `-o` flags let you filter by broker, service, and org.
<pre class="terminal">
$ cf help service-access
NAME:
service-access - List service access settings
USAGE:
cf service-access [-b BROKER] [-e SERVICE] [-o ORG]
OPTIONS:
-b access for plans of a particular broker
-e access for plans of a particular service offering
-o plans accessible by a particular org
</pre>
## <a id='enable-access'></a>Enable Access to Service Plans ###
Admins use the `cf enable-service-access` command to give users access to service plans. The command grants access at the org level or across all orgs.
When an org has access to a plan, its users see the plan in the services marketplace (`cf marketplace`) and its Space Developer users can provision instances of the plan in their spaces.
#### Enable Access to a Subset of Users
The `-p` and `-o` flags to `cf enable-service-access` let the admin limit user access to specific service plans or orgs as follows:
- `-p PLAN` grants all users access to one service plan (access:`all`)
- `-o ORG` grants users in a specified org access to all plans (access: `limited`)
- `-p PLAN -o ORG` grants users in one org access to one plan (access: `limited`)
For example, the following command grants the org dev-user-org access to the p-mysql service.
<pre class="terminal">
$ cf enable-service-access p-mysql -o dev-user-org
Enabling access to all plans of service p-mysql for the org dev-user-org as admin...
OK
$ cf service-access
getting service access as admin...
broker: p-mysql
service plan access orgs
p-mysql dev-user-org
</pre>
Run `cf help enable-service-access` to review these options from the command line.
Running `cf enable-service-access SERVICE-NAME` without any flags lets all users access every plan carried by the service. For example, the following command grants all-user access to all `p-mysql` service plans:
<pre class="terminal">
$ cf enable-service-access p-mysql
Enabling access to all plans of service p-mysql for all orgs as admin...
OK
$ cf service-access
getting service access as admin...
broker: p-mysql
service plan access orgs
p-mysql 100mb-dev all
</pre>
## <a id='disable-access'></a>Disable Access to Service Plans ###
Admins use the `cf disable-service-access` command to disable user access to service plans. The command denies access at the org level or across all orgs.
#### Disable Access to All Plans for All Users
Running `cf disable-service-access SERVICE-NAME` without any flags disables all user access to all plans carried by the service. For example, the following command denies any user access to all `p-mysql` service plans:
<pre class="terminal">
$ cf disable-service-access p-mysql
Disabling access to all plans of service p-mysql for all orgs as admin...
OK
$ cf service-access
getting service access as admin...
broker: p-mysql
service plan access orgs
p-mysql 100mb-dev none
</pre>
#### Disable Access for Specific Orgs or Plans
The `-p` and `-o` flags to `cf disable-service-access` let the admin deny access to specific service plans or orgs as follows:
- `-p PLAN` disables user access to one service plan
- `-o ORG` disables access to all plans for users in a specified org
- `-p PLAN -o ORG` prevents users in one org from accessing one plan
Run `cf help disable-service-access` to review these options from the command line.
### Limitations ####
- You cannot disable access to a service plan for an org if the plan is currently available to all orgs. You must first disable access for all orgs; then you can enable access for a particular org.