We are considering moving to app identity rather than space, so that we have each app in pcf authenticate separarately. However, we want to manage access at the whole space, so we don't have to manually add authorizations for each app as they get pushed again and all that.

Is there a group that gets created for each pcf <org guid>/<space guid> that we can use? and if that group DOES get created, would the host <org guid>/<space guid>/<app guid> be added BY the conjur service broker to the group <org guid>/<space guid> ?

@mkkeffeler My response is guided by the documentation in the README.md, see https://github.com/cyberark/conjur-service-broker/blob/master/README.md#organization-and-space-layers.

For VMWare Tanzu Application Service (TAS) or Pivotal Cloud Foundry (PCF) 2.0+, when the service broker is provisioned in a space, it automatically creates policy branches and layers for the org and space. See below for more information on using these org and space layers to permit access to secrets in Conjur.

Layers (which are semantically similar to groups) are definitely created for each org and space on provisioning.

In TAS or PCF version 2.0+, when the service broker creates the identity for your application in Conjur, it automatically adds it to a Conjur Layer representing the Organization and Space where the application is deployed. These layers may be used to control secret access at the org or space level, rather than the application host itself.

Application-scoped Identity
When space identities are not enabled, the service broker creates a new Conjur host identity for each application bound to the service. This requires that the service broker is able to communicate with the Conjur master for each bind request.

The advantage to this is finer-grained access control and audit logs in Conjur.

Application host identities may be permitted to access secrets at the org and space level or at the application level.

When space identities are not enabled the app gets a dedicated host that is added to both the org and space layers. I believe this meets your requirements to manage access at the whole space, without manually adding authorizations for each app as they get pushed.

I'd like to highlight and reiterate that using application-scoped identity requires that the service broker is able to communicate with the Conjur master for each bind request.

Closing this issue in the wake of response above. Please know that we've also got discourse which is great place for general purpose questions and discussions of this kind.