How to restrict permissions of LDAP users?

Hi,

I configured authentication via LDAP because I want users to login with their central account.

How can I change the default permissions a user gets after the first login?
I basically want the user to

  • have only read permissions on global and cluster level
  • be able to create new projects (and then be owner of it)
  • only see his projects (or the projects where they are assigned to as member)

Thanks in advance!