» cf network-policies
Listing network policies in org yug / space dev as test-user...
provided scopes [openid uaa.user cloud_controller.read password.write cloud_controller.write] do not include allowed scopes [network.admin network.write]

• Check the current scopes for test-user (requires targeting and obtaining a token from CF's UAA)
  • High-level steps
    • SSH to Ops Manager VM and target CF's UAA using the following commands
      • uaac target uaa.pivotal.io --skip-ssl-validation
      • uaac token client get admin -s <UAA-Admin-Client-Credentials>
      • uaac user get <user-name> | grep -iE 'display: '

uaac user get test-user | grep -iE 'display: '
    display: actuator.read
    display: uaa.offline_token
    display: password.write
    display: oauth.approvals
    display: uaa.user
    display: cloud_controller.user
    display: cloud_controller.write
    display: scim.me
    display: notification_preferences.write
    display: cloud_controller.read
    display: user_attributes
    display: roles
    display: profile
    display: approvals.me
    display: cloud_controller_service_permissions.read
    display: notification_preferences.read
    display: openid

• From the output, you can see scopes [network.admin network.write] are missing. Next step is to add the required scopes (network.admin should be sufficient enough but you can assign both the scope to a user)
• Add the required scopes
  • Run the following commands to add scopes:
    • uaac member add network.admin test-user
    • uaac member add network.write test-user
• After adding the scopes, logout the user one time for the changes to take effect (cf logout)
• Log-in using the test-user again and verify if you can list or add network policies for c2c networking:

cf network-policies
Listing network policies in org yug / space dev as test-user...

source   destination   protocol   ports   destination space   destination org