Hello!
In OTK you would not use OAuth SCOPE for user based access control. SCOPE is meant for clients (applications). Instead, you would add attributes about your users in your LDAP. Once done, you can then use this knowledge in an API to restrict access.
For example:
- LDAP, user: Sascha, attribute: 'methods_supported = POST GET'
- In OTK configure 'OTK User Attribute Look Up' to connect to your LDAP
- in your API use these assertions:
....
.... OTK Require OAuth 2.0 Token --> this will set '${session.subscriber_id}' which is the username of the current oauth session
.... OTK User Attribute Look Up --> use '${session.subscriber_id}' as input. The output will be whatever you have configured for it to expose
... compare(required method, methods valid for user)) --> if successful, continue, otherwise fail
Of course, the LDAP does not need to be used, it could also be a table in a database.
I hope this helps!