win_acl - Set file/directory/registry permissions for a system user or group

New in version 2.0.

Synopsis
Parameters
Examples
Status
Maintenance
- Support
- Author

Synopsis

Add or remove rights/permissions for a given user or group for the specified file, folder, registry key or AppPool identifies.
If adding ACL’s for AppPool identities (available since 2.3), the Windows Feature “Web-Scripting-Tools” must be enabled.

Parameters

Parameter	Choices/Defaults	Comments
inherit	Choices: ContainerInherit ObjectInherit	Inherit flags on the ACL rules. Can be specified as a comma separated list, e.g. `ContainerInherit`, `ObjectInherit`. For more information on the choices see MSDN InheritanceFlags enumeration at https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.inheritanceflags.aspx. Defaults to `ContainerInherit, ObjectInherit` for Directories.
path required		The path to the file or directory.
propagation	Choices: InheritOnly None ← NoPropagateInherit	Propagation flag on the ACL rules. For more information on the choices see MSDN PropagationFlags enumeration at https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.propagationflags.aspx.
rights required		The rights/permissions that are to be allowed/denied for the specified user or group for the item at `path`. If `path` is a file or directory, rights can be any right under MSDN FileSystemRights https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemrights.aspx. If `path` is a registry key, rights can be any right under MSDN RegistryRights https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.registryrights.aspx.
state	Choices: absent present ←	Specify whether to add `present` or remove `absent` the specified access rule.
type required	Choices: allow deny	Specify whether to allow or deny the rights specified.
user required		User or Group to add specified rights to act on src file/folder or registry key.

Examples

- name: Restrict write and execute access to User Fed-Phil
  win_acl:
    user: Fed-Phil
    path: C:\Important\Executable.exe
    type: deny
    rights: ExecuteFile,Write

- name: Add IIS_IUSRS allow rights
  win_acl:
    path: C:\inetpub\wwwroot\MySite
    user: IIS_IUSRS
    rights: FullControl
    type: allow
    state: present
    inherit: ContainerInherit, ObjectInherit
    propagation: 'None'

- name: set registry key right
  win_acl:
    path: HKCU:\Bovine\Key
    user: BUILTIN\Users
    rights: EnumerateSubKeys
    type: allow
    state: present
    inherit: ContainerInherit, ObjectInherit
    propagation: 'None'

- name: Remove FullControl AccessRule for IIS_IUSRS
  win_acl:
    path: C:\inetpub\wwwroot\MySite
    user: IIS_IUSRS
    rights: FullControl
    type: allow
    state: absent
    inherit: ContainerInherit, ObjectInherit
    propagation: 'None'

- name: Deny Intern
  win_acl:
    path: C:\Administrator\Documents
    user: Intern
    rights: Read,Write,Modify,FullControl,Delete
    type: deny
    state: present

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

Maintenance

This module is flagged as core which means that it is maintained by the Ansible Core Team. See Module Maintenance & Support for more info.

For a list of other modules that are also maintained by the Ansible Core Team, see here.

Support

For more information about Red Hat’s support of this module, please refer to this Knowledge Base article

Author

Phil Schwartz (@schwartzmx)
Trond Hindenes (@trondhindenes)
Hans-Joachim Kliemeck (@h0nIg)

Hint

If you notice any issues in this documentation you can edit this document to improve it.

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.6/modules/win_acl_module.html