esx authentication client profiles: info
The
info structure contains information about an existing client profile.The structure includes a subject type, the details of the subject - local user, external user or external group, or a privilege specification, and a list of access grants.
- A local user is a user account configured on the ESX system.
- An external user is a user account configured in an external for the ESX identity provider.
- An external group is a group account configured in an external for the ESX identity provider.
- A privilege specification defines matching to external JWT claim 'privs'.
Representation:
{
"grants" : [
{
"resource_type" : "ENTITLEMENT",
"entitlement" : "IDENTITY_MGMT"
},
{
"resource_type" : "ENTITLEMENT",
"entitlement" : "IDENTITY_MGMT"
}
],
"subject" : {
"privileges" : {
"<string>" : [
"string",
"string"
]
},
"domain" : "string",
"name" : "string",
"issuer_alias" : "obj-103",
"type" : "LOCAL_USER"
}
}
"grants" : [
{
"resource_type" : "ENTITLEMENT",
"entitlement" : "IDENTITY_MGMT"
},
{
"resource_type" : "ENTITLEMENT",
"entitlement" : "IDENTITY_MGMT"
}
],
"subject" : {
"privileges" : {
"<string>" : [
"string",
"string"
]
},
"domain" : "string",
"name" : "string",
"issuer_alias" : "obj-103",
"type" : "LOCAL_USER"
}
}
{
"grants" : [
{
"resource_type" : "ENTITLEMENT",
"entitlement" : "IDENTITY_MGMT"
},
{
"resource_type" : "ENTITLEMENT",
"entitlement" : "IDENTITY_MGMT"
}
],
"subject" : {
"privileges" : [
{
"value" : [
"string",
"string"
],
"key" : "string"
}
],
"domain" : "string",
"name" : "string",
"issuer_alias" : "obj-103",
"type" : "LOCAL_USER"
}
}
"grants" : [
{
"resource_type" : "ENTITLEMENT",
"entitlement" : "IDENTITY_MGMT"
},
{
"resource_type" : "ENTITLEMENT",
"entitlement" : "IDENTITY_MGMT"
}
],
"subject" : {
"privileges" : [
{
"value" : [
"string",
"string"
],
"key" : "string"
}
],
"domain" : "string",
"name" : "string",
"issuer_alias" : "obj-103",
"type" : "LOCAL_USER"
}
}
Attributes:
| Name | Type | Description |
|---|---|---|
| Required | ||
| -.subject | subject | The subject of the profile. |
| -.subject.type | string | subject type Defines the types of subject matching that a client profile is associated with. Value is one of: LOCAL_USER: local user EXTERNAL_GROUP: A group from external source. EXTERNAL_USER: A user from external source. PRIVILEGES: Privilege specifications. |
| -.subject.privileges.* | string[] | |
| -.grants | access_grant[] | Access grants. When the list is empty, the matching subjects don't receive grants from this client profile. but will receive grants from other matching ClientProfiles. |
| Optional | ||
| -.subject.name | string | The user or group name Optional. It is only relevant when type has value [LOCAL_USER, EXTERNAL_GROUP, EXTERNAL_USER]. This field is optional and it is only relevant when the value of type is one of LOCAL_USER, EXTERNAL_GROUP, or EXTERNAL_USER. |
| -.subject.issuer_alias | string | The security token issuer alias, who created and signed the security token. Optional. It is only relevant when type has value [EXTERNAL_GROUP, EXTERNAL_USER, PRIVILEGES]. This field is optional and it is only relevant when the value of type is one of EXTERNAL_GROUP, EXTERNAL_USER, or PRIVILEGES.When clients pass a value of this structure as a parameter, the field must be an identifier for the resource type: com.vmware.esx.authentication.trust.security-token-issuer. When operations return a value of this structure as a result, the field will be an identifier for the resource type: com.vmware.esx.authentication.trust.security-token-issuer. |
| -.subject.domain | string | Domain of the principal. Optional. It is only relevant when type has value [EXTERNAL_GROUP, EXTERNAL_USER]. This field is optional and it is only relevant when the value of type is one of EXTERNAL_GROUP or EXTERNAL_USER. |
| -.subject.privileges | object | Scope privilege mapping. The token issuer may provide a map of scopes and the authenticated user's privilege list on those scopes. Doing so allows a higher layer authorization scheme to be partly mapped into one or more esx.authentication.client_profiles. The token issuer must represent this mapping as a 'privs' claim. Encoded in JSON the claim would appear as follows. "privs": { "scope1": [ "priv1", "priv2", ...], "scope2": [ "priv1", "priv3", ...], ... } Note that this does not specify a subject directly, but rather a set of subjects who have some privilege on an entity. Optional. It is only relevant when type has value [PRIVILEGES]. This field is optional and it is only relevant when the value oftype is PRIVILEGES.Object with element values of type string[]. |
Attributes:
| Name | Type | Description |
|---|---|---|
| Required | ||
| subject | subject | The subject of the profile. |
| subject.type | string | subject type Defines the types of subject matching that a client profile is associated with. Value is one of: LOCAL_USER: local user EXTERNAL_GROUP: A group from external source. EXTERNAL_USER: A user from external source. PRIVILEGES: Privilege specifications. |
| subject.privileges[].key | string | |
| subject.privileges[].value | string[] | |
| grants | access_grant[] | Access grants. When the list is empty, the matching subjects don't receive grants from this client profile. but will receive grants from other matching ClientProfiles. |
| Optional | ||
| subject.name | string | The user or group name Optional. It is only relevant when type has value [LOCAL_USER, EXTERNAL_GROUP, EXTERNAL_USER]. This field is optional and it is only relevant when the value of type is one of LOCAL_USER, EXTERNAL_GROUP, or EXTERNAL_USER. |
| subject.issuer_alias | string | The security token issuer alias, who created and signed the security token. Optional. It is only relevant when type has value [EXTERNAL_GROUP, EXTERNAL_USER, PRIVILEGES]. This field is optional and it is only relevant when the value of type is one of EXTERNAL_GROUP, EXTERNAL_USER, or PRIVILEGES.When clients pass a value of this structure as a parameter, the field must be an identifier for the resource type: com.vmware.esx.authentication.trust.security-token-issuer. When operations return a value of this structure as a result, the field will be an identifier for the resource type: com.vmware.esx.authentication.trust.security-token-issuer. |
| subject.domain | string | Domain of the principal. Optional. It is only relevant when type has value [EXTERNAL_GROUP, EXTERNAL_USER]. This field is optional and it is only relevant when the value of type is one of EXTERNAL_GROUP or EXTERNAL_USER. |
| subject.privileges | list | Scope privilege mapping. The token issuer may provide a map of scopes and the authenticated user's privilege list on those scopes. Doing so allows a higher layer authorization scheme to be partly mapped into one or more esx.authentication.client_profiles. The token issuer must represent this mapping as a 'privs' claim. Encoded in JSON the claim would appear as follows. "privs": { "scope1": [ "priv1", "priv2", ...], "scope2": [ "priv1", "priv3", ...], ... } Note that this does not specify a subject directly, but rather a set of subjects who have some privilege on an entity. Optional. It is only relevant when type has value [PRIVILEGES]. This field is optional and it is only relevant when the value oftype is PRIVILEGES.List of {"key": string, "value": string[]} |