Hello!
There are a few things, assuming users are also authenticated via OTK:
- the policy 'OTK User Attribute Look Up' sets the role of the current user. That policy can be modified to retrieve the role (and other attributes) via and LDAP call
- the assertion 'OTK Require OAuth 2.0 Token', used at an API (service call policy), sets a variable '${session.subscriber_id}' which is the username of the user who granted the access_token
- that variables can be used with 'OTK User Attribute Look Up' to retrieve the current role '${current.user.role}'
If you have a look at the default implementation of '/userinfo' you can see how it is used.
With that, you are able to grant or deny access to certain APIs. The assertion also sets '${current.user.attributes}' which can be used to make decisions.
I hope that helps,
Sascha