ansible.windows.win_acl module – Set file/directory/registry permissions for a system user or group

Note

This module is part of the ansible.windows collection (version 1.9.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install ansible.windows.

To use it in a playbook, specify: ansible.windows.win_acl.

Synopsis

  • Add or remove rights/permissions for a given user or group for the specified file, folder, registry key or AppPool identifies.

Parameters

Parameter

Comments

inherit

string

Inherit flags on the ACL rules.

Can be specified as a comma separated list, e.g. ContainerInherit, ObjectInherit.

For more information on the choices see MSDN InheritanceFlags enumeration at https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.inheritanceflags.aspx.

Defaults to ContainerInherit, ObjectInherit for Directories.

Choices:

  • ContainerInherit

  • ObjectInherit

path

string / required

The path to the file or directory.

propagation

string

Propagation flag on the ACL rules.

For more information on the choices see MSDN PropagationFlags enumeration at https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.propagationflags.aspx.

Choices:

  • InheritOnly

  • None ← (default)

  • NoPropagateInherit

rights

string / required

The rights/permissions that are to be allowed/denied for the specified user or group for the item at path.

If path is a file or directory, rights can be any right under MSDN FileSystemRights https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemrights.aspx.

If path is a registry key, rights can be any right under MSDN RegistryRights https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.registryrights.aspx.

state

string

Specify whether to add present or remove absent the specified access rule.

Choices:

  • absent

  • present ← (default)

type

string / required

Specify whether to allow or deny the rights specified.

Choices:

  • allow

  • deny

user

string / required

User or Group to add specified rights to act on src file/folder or registry key.

Notes

Note

  • If adding ACL’s for AppPool identities, the Windows Feature “Web-Scripting-Tools” must be enabled.

See Also

See also

ansible.windows.win_acl_inheritance

The official documentation on the ansible.windows.win_acl_inheritance module.

ansible.windows.win_file

The official documentation on the ansible.windows.win_file module.

ansible.windows.win_owner

The official documentation on the ansible.windows.win_owner module.

ansible.windows.win_stat

The official documentation on the ansible.windows.win_stat module.

Examples

- name: Restrict write and execute access to User Fed-Phil
  ansible.windows.win_acl:
    user: Fed-Phil
    path: C:\Important\Executable.exe
    type: deny
    rights: ExecuteFile,Write

- name: Add IIS_IUSRS allow rights
  ansible.windows.win_acl:
    path: C:\inetpub\wwwroot\MySite
    user: IIS_IUSRS
    rights: FullControl
    type: allow
    state: present
    inherit: ContainerInherit, ObjectInherit
    propagation: 'None'

- name: Set registry key right
  ansible.windows.win_acl:
    path: HKCU:\Bovine\Key
    user: BUILTIN\Users
    rights: EnumerateSubKeys
    type: allow
    state: present
    inherit: ContainerInherit, ObjectInherit
    propagation: 'None'

- name: Remove FullControl AccessRule for IIS_IUSRS
  ansible.windows.win_acl:
    path: C:\inetpub\wwwroot\MySite
    user: IIS_IUSRS
    rights: FullControl
    type: allow
    state: absent
    inherit: ContainerInherit, ObjectInherit
    propagation: 'None'

- name: Deny Intern
  ansible.windows.win_acl:
    path: C:\Administrator\Documents
    user: Intern
    rights: Read,Write,Modify,FullControl,Delete
    type: deny
    state: present

Authors

  • Phil Schwartz (@schwartzmx)

  • Trond Hindenes (@trondhindenes)

  • Hans-Joachim Kliemeck (@h0nIg)