Tried adding objectclass to the attrs, but it is entirely possible I did something incorrect as the users are still unable to view other OTP tokens
Here's the current state of the policy:
$ ipa permission-show test --all --raw dn: cn=test,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com cn: test ipapermright: all ipapermincludedattr: ipatokentotptimestep ipapermincludedattr: ipatokenotpalgorithm ipapermincludedattr: ipatokentotpwatermark ipapermincludedattr: ipatokenowner ipapermincludedattr: ipatokenotpdigits ipapermincludedattr: ipatokenuniqueid ipapermincludedattr: ipatokentotpclockoffset ipapermincludedattr: ipatokenotpkey ipapermincludedattr: cn ipapermincludedattr: ipatokenhotpsyncwindow ipapermincludedattr: ipatokenhotpauthwindow ipapermincludedattr: ipatokentotpsyncwindow ipapermincludedattr: ipatokentotpauthwindow ipapermincludedattr: objectclass ipapermbindruletype: permission ipapermlocation: cn=otp,cn=etc,dc=ipa,dc=nab,dc=blueclouds,dc=io ipapermtargetfilter: (objectclass=ipatokenotpconfig) ipapermissiontype: SYSTEM ipapermissiontype: V2 aci: (targetattr = "cn || ipatokenhotpauthwindow || ipatokenhotpsyncwindow || ipatokenotpalgorithm || ipatokenotpdigits || ipatokenotpkey || ipatokenowner || ipatokentotpauthwindow || ipatokentotpclockoffset || ipatokentotpsyncwindow || ipatokentotptimestep || ipatokentotpwatermark || ipatokenuniqueid || objectclass")(targetfilter = "(objectclass=ipatokenotpconfig)")(version 3.0;acl "permission:test";allow (all) groupdn = "ldap:///cn=testrl,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com";) objectclass: top objectclass: groupofnames objectclass: ipapermission objectclass: ipapermissionv2
(Again, membership info has been removed, but shows the expected and proper members)