win_acl - Set file/directory/registry permissions for a system user or group
New in version 2.0.
Synopsis
- Add or remove rights/permissions for a given user or group for the specified file, folder, registry key or AppPool identifies.
- If adding ACL’s for AppPool identities (available since 2.3), the Windows Feature “Web-Scripting-Tools” must be enabled.
Parameters
| Parameter | Choices/Defaults | Comments |
|---|---|---|
| inherit |
|
Inherit flags on the ACL rules.
Can be specified as a comma separated list, e.g.
ContainerInherit, ObjectInherit.
For more information on the choices see MSDN InheritanceFlags enumeration at https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.inheritanceflags.aspx.
Defaults to ContainerInherit, ObjectInherit for Directories.
|
| path
required
|
The path to the file or directory.
|
|
| propagation |
|
Propagation flag on the ACL rules.
For more information on the choices see MSDN PropagationFlags enumeration at https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.propagationflags.aspx.
|
| rights
required
|
The rights/permissions that are to be allowed/denied for the specified user or group for the item at
path.
If
path is a file or directory, rights can be any right under MSDN FileSystemRights https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemrights.aspx.
If path is a registry key, rights can be any right under MSDN RegistryRights https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.registryrights.aspx.
|
|
| state |
|
Specify whether to add present or remove absent the specified access rule.
|
| type
required
|
|
Specify whether to allow or deny the rights specified.
|
| user
required
|
User or Group to add specified rights to act on src file/folder or registry key.
|
Examples
- name: Restrict write and execute access to User Fed-Phil
win_acl:
user: Fed-Phil
path: C:\Important\Executable.exe
type: deny
rights: ExecuteFile,Write
- name: Add IIS_IUSRS allow rights
win_acl:
path: C:\inetpub\wwwroot\MySite
user: IIS_IUSRS
rights: FullControl
type: allow
state: present
inherit: ContainerInherit, ObjectInherit
propagation: 'None'
- name: set registry key right
win_acl:
path: HKCU:\Bovine\Key
user: BUILTIN\Users
rights: EnumerateSubKeys
type: allow
state: present
inherit: ContainerInherit, ObjectInherit
propagation: 'None'
- name: Remove FullControl AccessRule for IIS_IUSRS
win_acl:
path: C:\inetpub\wwwroot\MySite
user: IIS_IUSRS
rights: FullControl
type: allow
state: absent
inherit: ContainerInherit, ObjectInherit
propagation: 'None'
- name: Deny Intern
win_acl:
path: C:\Administrator\Documents
user: Intern
rights: Read,Write,Modify,FullControl,Delete
type: deny
state: present
Status
This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.
Maintenance
This module is flagged as core which means that it is maintained by the Ansible Core Team. See Module Maintenance & Support for more info.
For a list of other modules that are also maintained by the Ansible Core Team, see here.
Support
For more information about Red Hat’s support of this module, please refer to this Knowledge Base article
Author
- Phil Schwartz (@schwartzmx)
- Trond Hindenes (@trondhindenes)
- Hans-Joachim Kliemeck (@h0nIg)
Hint
If you notice any issues in this documentation you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.6/modules/win_acl_module.html