We need to include some LDAP authentication users as admins of the OAuth Manager in order to create and change OTK clients.
API Gateway 10.X
Step 1: Open the OTK User Authentication Extension policy and turn on ‘Show Comments’ and ‘Show Assertion Numbers’
Step 2: Copy line 10 and update the comments to reflect your LDAP configuration
Step 3: Expand line 16 and double-click the Request: Authenticate against Internal Identity Provider assertion and select your LDAP instance. Double-click the Extract Attributes for Authenticated User assertion and select your LDAP instance.
Step 4: Right-click on line 9 and select the Add ‘At least one…’ Folder
Step 5: Move both IDP logic blocks into the folder – it should look like the following:
Step 6: Click Save and Activate
Step 7: Open the OTK User Attribute Look Up Extension policy and turn on ‘Show Comments’ and ‘Show Assertion Numbers’
Step 8: Click on line 5 and line 6
Step 9: Make a copy of line 8 and disable the first copy
Step 10: Double-click line 9; click the entry under Rules and click Edit
Step 11: Add a pipe “|” and each username that will be logging into the OAuth Manager
Step 12: Click OK and click OK again – Click Save and Activate
NOTE: The user(s) logging in to the OAuth Manager must have the Administrator role within the Policy Manager. If a user isn’t defined in the OTK User Attribute Look Up Extension policy, they WILL NOT be able to see all of the client keys. They will only see the client keys they have created.
REF:
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/installation-workflow/configure-authentication/support-optional-authentication-mechanisms.html
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/otk-user-role-configuration.html