REST API - create

esx authentication client profiles: create

Create a new client profile.

Request:

HTTP request

POST https://{server}/api/esx/authentication/client-profiles
{
    "grants"[
        {
            "resource_type""ENTITLEMENT",
            "entitlement""IDENTITY_MGMT"
        },
        {
            "resource_type""ENTITLEMENT",
            "entitlement""IDENTITY_MGMT"
        }
    ],
    "external_user_name""string",
    "local_user_name""string",
    "domain""string",
    "external_group_name""string",
    "issuer_alias""obj-103"
}

Body Parameters:

Name Type Description
bold = required
- create_spec Settings for the new client profile.
-.local_user_name string The local user name.

Exactly one of esx.authentication.client_profiles.create_spec.local_user_name, esx.authentication.client_profiles.create_spec.external_group_name or esx.authentication.client_profiles.create_spec.external_user_name must be set.

Optional. If set, create a client profile for a local user.

-.external_group_name string The external group name.

Exactly one of esx.authentication.client_profiles.create_spec.local_user_name, esx.authentication.client_profiles.create_spec.external_group_name or esx.authentication.client_profiles.create_spec.external_user_name must be set.

Optional. If set, create a client profile for an external group and esx.authentication.client_profiles.create_spec.issuer_alias and esx.authentication.client_profiles.create_spec.domain must be set.

-.external_user_name string The external user name.

Exactly one of esx.authentication.client_profiles.create_spec.local_user_name, esx.authentication.client_profiles.create_spec.external_group_name or esx.authentication.client_profiles.create_spec.external_user_name must be set.

Optional. If set, create a client profile for an external user and esx.authentication.client_profiles.create_spec.issuer_alias and esx.authentication.client_profiles.create_spec.domain must be set.

-.issuer_alias string The security token issuer alias, who created and signed the security token.

Optional. Must be set only if esx.authentication.client_profiles.create_spec.external_group_name or esx.authentication.client_profiles.create_spec.external_user_name is set.When clients pass a value of this structure as a parameter, the field must be an identifier for the resource type: com.vmware.esx.authentication.trust.security-token-issuer. When operations return a value of this structure as a result, the field will be an identifier for the resource type: com.vmware.esx.authentication.trust.security-token-issuer.

-.domain string Domain of the external principal.

Optional. Must be set only if esx.authentication.client_profiles.create_spec.external_group_name or esx.authentication.client_profiles.create_spec.external_user_name is set.

-.grants access_grant[] Access grants. When the list is empty, the matching subjects don't receive grants from this client profile. but will receive grants from other matching ClientProfiles.

-.grants[].resource_type string Type of permission entity.

Defines the types of esx.authentication.client_profiles.access_grant elements in a client profile. These are permission resource types. There is support for entitlements, but not for groups. Value is one of:
ENTITLEMENT: Permission entitlements.

These are coarse-grained permissions that are not associated with an object, i.e. they are system-wide.

-.grants[].entitlement string The entitlement in the access grant.

Defines all permission entitlements supported on the ESX.

These are coarse-grained permissions that are not associated with an object, i.e. they are system-wide.

Value is one of:
IDENTITY_MGMT: Allows modifying the identity configuration.

For example: esx.authentication.client_profiles, esx.authentication.trust.security_token_issuers.


SECURITY_MGMT: Allows modifying security configuration.

For example: KMS, Attestation.


READ_ONLY: Allows access to some read-only operations. Not all read-only operations are accessible with this entitlement. Check the specific operation documentation for the required authorization.Optional. It is only relevant when resource_type has value ENTITLEMENT. This field is optional and it is only relevant when the value of resource_type is ENTITLEMENT.

Response:

HTTP Status Code: 201

Response Body Structure:

"obj-103"

Headers:

None

Type:

Name Type Description
bold = required
- string The new client profile.

Errors:

HTTP Status Code Type Description
400 already_exists if there is already a esx.authentication.client_profiles instance with the same subject.
400 invalid_argument if the esx.authentication.client_profiles.create_spec contains invalid data.
500 error if there is a problem storing the data.
401 unauthenticated if the user can not be authenticated.