Revoking admin access is a task that can be requested at any time. This article explains how to do it using LDAP.

TAS with LDAP

cf set-space-role one_user one-org one-space SpaceDeveloper

If the user belongs to a group that has been mapped as admin as explained in the docs, move that user to a different group in the LDAP or, if there is no more user belonging to that group, unmap that groups as follows.

uaac group unmap  scim.read "GROUP-DISTINGUISHED-NAME"
uaac group unmap  scim.write "GROUP-DISTINGUISHED-NAME"
uaac group unmap  cloud_controller.admin "GROUP-DISTINGUISHED-NAME"

Then the user can be assigned to the spaces as SpaceDeveloper E.g

cf set-space-role one_user one-org one-space SpaceDeveloper

 If the use is mapped directly to admin groups "cloud_controller.admin, uaa.admin, scim.read, and scim.write". Then, to make it a normal user you would need to remove it from that group as follows.

uaac member delete cloud_controller.admin one_user
uaac member delete uaa.admin one_user
uaac member delete scim.read  one_user
uaac member delete scim.write  one_user