win_acl – Set file/directory/registry permissions for a system user or group

New in version 2.0.

Synopsis

  • Add or remove rights/permissions for a given user or group for the specified file, folder, registry key or AppPool identifies.

Parameters

Parameter Choices/Defaults Comments
inherit
string
    Choices:
  • ContainerInherit
  • ObjectInherit
Inherit flags on the ACL rules.
Can be specified as a comma separated list, e.g. ContainerInherit, ObjectInherit.
For more information on the choices see MSDN InheritanceFlags enumeration at https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.inheritanceflags.aspx.
Defaults to ContainerInherit, ObjectInherit for Directories.
path
string / required
The path to the file or directory.
propagation
string
    Choices:
  • InheritOnly
  • None ←
  • NoPropagateInherit
Propagation flag on the ACL rules.
For more information on the choices see MSDN PropagationFlags enumeration at https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.propagationflags.aspx.
rights
string / required
The rights/permissions that are to be allowed/denied for the specified user or group for the item at path.
If path is a file or directory, rights can be any right under MSDN FileSystemRights https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemrights.aspx.
If path is a registry key, rights can be any right under MSDN RegistryRights https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.registryrights.aspx.
state
string
    Choices:
  • absent
  • present ←
Specify whether to add present or remove absent the specified access rule.
type
string / required
    Choices:
  • allow
  • deny
Specify whether to allow or deny the rights specified.
user
string / required
User or Group to add specified rights to act on src file/folder or registry key.

Notes

Note

  • If adding ACL’s for AppPool identities (available since 2.3), the Windows Feature “Web-Scripting-Tools” must be enabled.

See Also

See also

win_acl_inheritance – Change ACL inheritance

The official documentation on the win_acl_inheritance module.

win_file – Creates, touches or removes files or directories

The official documentation on the win_file module.

win_owner – Set owner

The official documentation on the win_owner module.

win_stat – Get information about Windows files

The official documentation on the win_stat module.

Examples

- name: Restrict write and execute access to User Fed-Phil
  win_acl:
    user: Fed-Phil
    path: C:\Important\Executable.exe
    type: deny
    rights: ExecuteFile,Write

- name: Add IIS_IUSRS allow rights
  win_acl:
    path: C:\inetpub\wwwroot\MySite
    user: IIS_IUSRS
    rights: FullControl
    type: allow
    state: present
    inherit: ContainerInherit, ObjectInherit
    propagation: 'None'

- name: Set registry key right
  win_acl:
    path: HKCU:\Bovine\Key
    user: BUILTIN\Users
    rights: EnumerateSubKeys
    type: allow
    state: present
    inherit: ContainerInherit, ObjectInherit
    propagation: 'None'

- name: Remove FullControl AccessRule for IIS_IUSRS
  win_acl:
    path: C:\inetpub\wwwroot\MySite
    user: IIS_IUSRS
    rights: FullControl
    type: allow
    state: absent
    inherit: ContainerInherit, ObjectInherit
    propagation: 'None'

- name: Deny Intern
  win_acl:
    path: C:\Administrator\Documents
    user: Intern
    rights: Read,Write,Modify,FullControl,Delete
    type: deny
    state: present

Status

Red Hat Support

More information about Red Hat’s support of this module is available from this Red Hat Knowledge Base article.

Authors

  • Phil Schwartz (@schwartzmx)

  • Trond Hindenes (@trondhindenes)

  • Hans-Joachim Kliemeck (@h0nIg)

Hint

If you notice any issues in this documentation you can edit this document to improve it.