Documentation

win_acl - Set file/directory permissions for a system user or group.

New in version 2.0.

Synopsis

  • Add or remove rights/permissions for a given user or group for the specified src file or folder.
  • If adding ACL’s for AppPool identities (available since 2.3), the Windows “Feature Web-Scripting-Tools” must be enabled

Options

parameter required default choices comments
inherit
no For Leaf File, None; For Directory, ContainerInherit, ObjectInherit;
  • ContainerInherit
  • ObjectInherit
  • None
Inherit flags on the ACL rules. Can be specified as a comma separated list (Ex. "ContainerInherit, ObjectInherit"). For more information on the choices see MSDN InheritanceFlags Enumeration.
path
yes
File or Directory
propagation
no None
  • None
  • NoPropagateInherit
  • InheritOnly
Propagation flag on the ACL rules. For more information on the choices see MSDN PropagationFlags Enumeration.
rights
yes none
  • AppendData
  • ChangePermissions
  • Delete
  • DeleteSubdirectoriesAndFiles
  • ExecuteFile
  • FullControl
  • ListDirectory
  • Modify
  • Read
  • ReadAndExecute
  • ReadAttributes
  • ReadData
  • ReadExtendedAttributes
  • ReadPermissions
  • Synchronize
  • TakeOwnership
  • Traverse
  • Write
  • WriteAttributes
  • WriteData
  • WriteExtendedAttributes
The rights/permissions that are to be allowed/denyed for the specified user or group for the given src file or directory. Can be entered as a comma separated list (Ex. "Modify, Delete, ExecuteFile"). For more information on the choices see MSDN FileSystemRights Enumeration.
state
no present
  • present
  • absent
Specify whether to add present or remove absent the specified access rule
type
yes none
  • allow
  • deny
Specify whether to allow or deny the rights specified
user
yes none
User or Group to add specified rights to act on src file/folder

Examples

- name: Restrict write and execute access to User Fed-Phil
  win_acl:
    user: Fed-Phil
    path: C:\Important\Executable.exe
    type: deny
    rights: ExecuteFile,Write

- name: Add IIS_IUSRS allow rights
  win_acl:
    path: C:\inetpub\wwwroot\MySite
    user: IIS_IUSRS
    rights: FullControl
    type: allow
    state: present
    inherit: ContainerInherit, ObjectInherit
    propagation: 'None'

# Remove previously added rule for IIS_IUSRS
- name: Remove FullControl AccessRule for IIS_IUSRS
  win_acl:
    path: C:\inetpub\wwwroot\MySite
    user: IIS_IUSRS
    rights: FullControl
    type: allow
    state: absent
    inherit: ContainerInherit, ObjectInherit
    propagation: 'None'

# Deny Intern
- name: Deny Deny
  win_acl:
    path: C:\Administrator\Documents
    user: Intern
    rights: Read,Write,Modify,FullControl,Delete
    type: deny
    state: present

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

Support

This module is maintained by those with core commit privileges

For more information on what this means please read Module Support

For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Testing Ansible and Developing Modules.