Exactly one of esx.authentication.client_profiles.create_spec.local_user_name, esx.authentication.client_profiles.create_spec.external_group_name, esx.authentication.client_profiles.create_spec.external_user_name, or privileges must be set.

Optional. If set, create a client profile for a local user.

Exactly one of esx.authentication.client_profiles.create_spec.local_user_name, esx.authentication.client_profiles.create_spec.external_group_name, esx.authentication.client_profiles.create_spec.external_user_name, or privileges must be set.

Optional. If set, create a client profile for an external group and esx.authentication.client_profiles.create_spec.issuer_alias and esx.authentication.client_profiles.create_spec.domain must be set.

Exactly one of esx.authentication.client_profiles.create_spec.local_user_name, esx.authentication.client_profiles.create_spec.external_group_name, esx.authentication.client_profiles.create_spec.external_user_name, or privileges must be set.

Optional. If set, create a client profile for an external user and esx.authentication.client_profiles.create_spec.issuer_alias and esx.authentication.client_profiles.create_spec.domain must be set.

Optional. If set, create a client profile containing the scope privileges specified. Also, field esx.authentication.client_profiles.create_spec.issuer_alias must be set.

The token issuer may provide a map of scopes and the authenticated user's privilege list on those scopes. Doing so allows a higher layer authorization scheme to be partly mapped into one or more esx.authentication.client_profiles.

The token issuer must represent this mapping as a 'privs' claim. Encoded in JSON the claim would appear as follows.

"privs": { "scope1": [ "priv1", "priv2", ...], "scope2": [ "priv1", "priv3", ...], ... }

Note that this does not specify a subject directly, but rather a set of subjects who have some privilege on an entity.

Optional. Must be set only if either of esx.authentication.client_profiles.create_spec.external_group_name, esx.authentication.client_profiles.create_spec.external_user_name, or privileges is set.When clients pass a value of this structure as a parameter, the field must be an identifier for the resource type: com.vmware.esx.authentication.trust.security-token-issuer. When operations return a value of this structure as a result, the field will be an identifier for the resource type: com.vmware.esx.authentication.trust.security-token-issuer.

Optional. Must be set only if esx.authentication.client_profiles.create_spec.external_group_name or esx.authentication.client_profiles.create_spec.external_user_name is set.

Defines the types of esx.authentication.client_profiles.access_grant elements in a client profile. These are permission resource types. There is support for entitlements, but not for groups. Value is one of:
ENTITLEMENT: Permission entitlements.

These are coarse-grained permissions that are not associated with an object, i.e. they are system-wide.

Defines all permission entitlements supported on the ESX.

These are coarse-grained permissions that are not associated with an object, i.e. they are system-wide.

For example: esx.authentication.client_profiles, esx.authentication.trust.security_token_issuers.

For example: KMS, Attestation.