VMware Tanzu Operations Manager 

Only one group can be configured as LDAP RBAC Admin Group on Ops Manager web console.

The solution is to utilise UAAC CLI command to map external group in LDAP to UAA scope opsman.admin, which will grant admin permission to external LDAP group.

1) Run uaac commands to target to Ops Manager UAA endpoint and get the token for admin user. Refer to the documentation for more details. If Ops Manager is already integrated with LDAP authentication, use command "uac token sso get" to get the token.

$ uaac token sso get opsman
Client secret:  ******
Passcode ( from https://opsmgr.example.com/uaa/passcode ):  

2) Run "uaac group mappings" to confirm the LDAP group configured in "LDAP RBAC Admin Group" box in Ops Manager is already mapped to ospman.admin scope for ldap origin. For example,

$ uaac group mappings
  resources
    ldap: 
    -
      uaa.admin: cn=group1,ou=groups,dc=example,dc=com
    -
      opsman.admin: cn=group1,ou=groups,dc=example,dc=com

3) Run "uaac group map" command to map other LDAP group to ospman.admin scope for ldap origin

$ uaac group map "cn=group2,ou=groups,dc=example,dc=com" --name opsman.admin --origin ldap

4) Confirm the group mapping is performed successfully

$ uaac group mappings
  resources
    ldap: 
    -
      uaa.admin: cn=group1,ou=groups,dc=example,dc=com
    -
      opsman.admin: cn=group1,ou=groups,dc=example,dc=com

    -
      opsman.admin: cn=group2,ou=groups,dc=example,dc=com

5) Try to login Ops Manager web console with some LDAP user in the newly mapped group