esx authentication client profiles: create spec
create_spec structure contains fields to be specified for creating a new client profile.The structure includes a subject - local user, external user or external group, and a list of access grants.
Representation:
"grants" : [
{
"resource_type" : "ENTITLEMENT",
"entitlement" : "IDENTITY_MGMT"
},
{
"resource_type" : "ENTITLEMENT",
"entitlement" : "IDENTITY_MGMT"
}
],
"privileges" : {
"<string>" : [
"string",
"string"
]
},
"external_user_name" : "string",
"local_user_name" : "string",
"domain" : "string",
"external_group_name" : "string",
"issuer_alias" : "obj-103"
}
"grants" : [
{
"resource_type" : "ENTITLEMENT",
"entitlement" : "IDENTITY_MGMT"
},
{
"resource_type" : "ENTITLEMENT",
"entitlement" : "IDENTITY_MGMT"
}
],
"privileges" : [
{
"value" : [
"string",
"string"
],
"key" : "string"
}
],
"external_user_name" : "string",
"local_user_name" : "string",
"domain" : "string",
"external_group_name" : "string",
"issuer_alias" : "obj-103"
}
Attributes:
| Name | Type | Description |
|---|---|---|
| Required | ||
| -.privileges.* | string[] | |
| -.grants | access_grant[] | Access grants. When the list is empty, the matching subjects don't receive grants from this client profile. but will receive grants from other matching ClientProfiles. |
| -.grants[].resource_type | string | Type of permission entity. Defines the types of esx.authentication.client_profiles.access_grant elements in a client profile. These are permission resource types. There is support for entitlements, but not for groups. Value is one of: ENTITLEMENT: Permission entitlements. These are coarse-grained permissions that are not associated with an object, i.e. they are system-wide. |
| Optional | ||
| -.local_user_name | string | The local user name. Exactly one of esx.authentication.client_profiles.create_spec.local_user_name, esx.authentication.client_profiles.create_spec.external_group_name, esx.authentication.client_profiles.create_spec.external_user_name, or privileges must be set. Optional. If set, create a client profile for a local user. |
| -.external_group_name | string | The external group name. Exactly one of esx.authentication.client_profiles.create_spec.local_user_name, esx.authentication.client_profiles.create_spec.external_group_name, esx.authentication.client_profiles.create_spec.external_user_name, or privileges must be set. Optional. If set, create a client profile for an external group and esx.authentication.client_profiles.create_spec.issuer_alias and esx.authentication.client_profiles.create_spec.domain must be set. |
| -.external_user_name | string | The external user name. Exactly one of esx.authentication.client_profiles.create_spec.local_user_name, esx.authentication.client_profiles.create_spec.external_group_name, esx.authentication.client_profiles.create_spec.external_user_name, or privileges must be set. Optional. If set, create a client profile for an external user and esx.authentication.client_profiles.create_spec.issuer_alias and esx.authentication.client_profiles.create_spec.domain must be set. |
| -.privileges | object | Scope privilege mapping. Exactly one of esx.authentication.client_profiles.create_spec.local_user_name, esx.authentication.client_profiles.create_spec.external_group_name, esx.authentication.client_profiles.create_spec.external_user_name or privileges must be set. Warning: This attribute is part of a new feature in development. It may be changed at any time and may not have all supported functionality implemented. Optional. If set, create a client profile containing the scope privileges specified. Also, field esx.authentication.client_profiles.create_spec.issuer_alias must be set.
The token issuer may provide a map of scopes and the authenticated user's privilege list on those scopes. Doing so allows a higher layer authorization scheme to be partly mapped into one or more esx.authentication.client_profiles. The token issuer must represent this mapping as a 'privs' claim. Encoded in JSON the claim would appear as follows. "privs": { "scope1": [ "priv1", "priv2", ...], "scope2": [ "priv1", "priv3", ...], ... } Note that this does not specify a subject directly, but rather a set of subjects who have some privilege on an entity. . |
| -.issuer_alias | string | The security token issuer alias, who created and signed the security token. Optional. Must be set only if either of esx.authentication.client_profiles.create_spec.external_group_name, esx.authentication.client_profiles.create_spec.external_user_name, or privileges is set.When clients pass a value of this structure as a parameter, the field must be an identifier for the resource type: com.vmware.esx.authentication.trust.security-token-issuer. When operations return a value of this structure as a result, the field will be an identifier for the resource type: com.vmware.esx.authentication.trust.security-token-issuer. |
| -.domain | string | Domain of the external principal. Optional. Must be set only if esx.authentication.client_profiles.create_spec.external_group_name or esx.authentication.client_profiles.create_spec.external_user_name is set. |
| -.grants[].entitlement | string | The entitlement in the access grant. Defines all permission entitlements supported on the ESX. These are coarse-grained permissions that are not associated with an object, i.e. they are system-wide. Value is one of:IDENTITY_MGMT: Allows modifying the identity configuration. For example: esx.authentication.client_profiles, esx.authentication.trust.security_token_issuers. SECURITY_MGMT: Allows modifying security configuration. For example: KMS, Attestation. READ_ONLY: Allows access to some read-only operations. Not all read-only operations are accessible with this entitlement. Check the specific operation documentation for the required authorization. OBSERVABILITY: Allows access to monitoring and statistical performance data. This constant was added in vSphere API 7.0.1.0.Optional. It is only relevant when resource_type has value ENTITLEMENT. This field is optional and it is only relevant when the value of resource_type is ENTITLEMENT. |
Attributes:
| Name | Type | Description |
|---|---|---|
| Required | ||
| privileges[].key | string | |
| privileges[].value | string[] | |
| grants | access_grant[] | Access grants. When the list is empty, the matching subjects don't receive grants from this client profile. but will receive grants from other matching ClientProfiles. |
| Optional | ||
| local_user_name | string | The local user name. Exactly one of esx.authentication.client_profiles.create_spec.local_user_name, esx.authentication.client_profiles.create_spec.external_group_name, esx.authentication.client_profiles.create_spec.external_user_name, or privileges must be set. Optional. If set, create a client profile for a local user. |
| external_group_name | string | The external group name. Exactly one of esx.authentication.client_profiles.create_spec.local_user_name, esx.authentication.client_profiles.create_spec.external_group_name, esx.authentication.client_profiles.create_spec.external_user_name, or privileges must be set. Optional. If set, create a client profile for an external group and esx.authentication.client_profiles.create_spec.issuer_alias and esx.authentication.client_profiles.create_spec.domain must be set. |
| external_user_name | string | The external user name. Exactly one of esx.authentication.client_profiles.create_spec.local_user_name, esx.authentication.client_profiles.create_spec.external_group_name, esx.authentication.client_profiles.create_spec.external_user_name, or privileges must be set. Optional. If set, create a client profile for an external user and esx.authentication.client_profiles.create_spec.issuer_alias and esx.authentication.client_profiles.create_spec.domain must be set. |
| privileges | list | Scope privilege mapping. Exactly one of esx.authentication.client_profiles.create_spec.local_user_name, esx.authentication.client_profiles.create_spec.external_group_name, esx.authentication.client_profiles.create_spec.external_user_name or privileges must be set. Warning: This attribute is part of a new feature in development. It may be changed at any time and may not have all supported functionality implemented. Optional. If set, create a client profile containing the scope privileges specified. Also, field esx.authentication.client_profiles.create_spec.issuer_alias must be set.
The token issuer may provide a map of scopes and the authenticated user's privilege list on those scopes. Doing so allows a higher layer authorization scheme to be partly mapped into one or more esx.authentication.client_profiles. The token issuer must represent this mapping as a 'privs' claim. Encoded in JSON the claim would appear as follows. "privs": { "scope1": [ "priv1", "priv2", ...], "scope2": [ "priv1", "priv3", ...], ... } Note that this does not specify a subject directly, but rather a set of subjects who have some privilege on an entity. . |
| issuer_alias | string | The security token issuer alias, who created and signed the security token. Optional. Must be set only if either of esx.authentication.client_profiles.create_spec.external_group_name, esx.authentication.client_profiles.create_spec.external_user_name, or privileges is set.When clients pass a value of this structure as a parameter, the field must be an identifier for the resource type: com.vmware.esx.authentication.trust.security-token-issuer. When operations return a value of this structure as a result, the field will be an identifier for the resource type: com.vmware.esx.authentication.trust.security-token-issuer. |
| domain | string | Domain of the external principal. Optional. Must be set only if esx.authentication.client_profiles.create_spec.external_group_name or esx.authentication.client_profiles.create_spec.external_user_name is set. |