The client and user credentials grants flows are special cases in Gluu Server, as they are technically not OIDC flows (OIDC spec doesn't define such flows). They are sort of legacy from oAuth2.0 we decide to implement for special niche tasks.
I'm not sure I fully understand your use-case, may be you could expand on this part, providing detailed step-by-step of the flow and/or diagram of it:
>But how can we specify which resources they are able to access? For users we can manage and retrieve claims, e.g. group memberships, and associate permissions that way. For clients I haven't found a way to do the same
If you need some way to know what scopes were allowed for a certain client, you may try to query the introspection endpoint, for one. Here is example of such query:
POST /oxauth/restv1/introspection HTTP/1.1
Authorization: Bearer 6ed2a554-baa5-4868-b02b-05a33c90c634
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: Paw/3.1.5 (Macintosh; OS X/10.12.6) GCDHTTPRequest
The `token` is access token you get from `/token` endpoint for this client initially. You use it in `Authorization: Bearer` as well in this request. The response will look like this:
So it will contain the list of scopes OP allowed this client to have access to. Hope this helps.
You assumption about interconnection between client and user was a miss, though. There is no way (at least supported and intended) to tie both together. Overall, such in-depth modifications involving changing attributes on entries directly in LDAP are not usually covered by Community Support and we can't hold responsibility for any disaster that may come from it. Please refrain from it unless there is no other way.