We are restricting operations based on access using LDAP Authorization.

Here is a portion of the XSL that is using the result set from the LDAP query.

<xsl:variable name="authorizeServices">
         <xsl:copy-of select="$result/LDAP-search-results/result/attribute-value/text()"/>
      </xsl:variable>
      <!--     Authorize service    -->
      <xsl:variable name="serviceMatch">
         <xsl:for-each select="$result/LDAP-search-results/result/attribute-value">
            <xsl:variable name="authorizeServices">
               <xsl:value-of select="text()"/>
            </xsl:variable>
            <xsl:choose>
               <xsl:when test="$authorizeServices=$msgAuthorize">
                  <xsl:value-of select="true()"/>
               </xsl:when>
               <xsl:otherwise>
                  <!-- do what you like here -->
               </xsl:otherwise>
            </xsl:choose>
         </xsl:for-each>
      </xsl:variable>
      <xsl:choose>

As you can see we use the LDAP 'attribute-value' result, and match that to the operation name.  We use a 'for-each' as a user may have access to multiple operations.

If there is a match the user is authorized to utilize that service and operation, otherwise they will be denied access. 

Not sure your comfort level with DataPower, but some other users might not know how to implement the custom XSL.  To do so in the AAA policy go to the Authorize tab, for 'Method' select 'custom' from the drop down list.  Then in the 'Custom URL' box you would put the value of your XSL. e.g. 'local:///myAAA.xsl'.

I have omitted some details, but I think this should get you going in the right direction.  If you need more help let me know. 

I hope this helps.