Documentation

win_acl - Set file/directory permissions for a system user or group.

New in version 2.0.

Synopsis

Add or remove rights/permissions for a given user or group for the specified src file or folder.

Options

parameter required default choices comments
inherit
no For Leaf File, None; For Directory, ContainerInherit, ObjectInherit;
  • ContainerInherit
  • ObjectInherit
  • None
Inherit flags on the ACL rules. Can be specified as a comma separated list (Ex. "ContainerInherit, ObjectInherit"). For more information on the choices see MSDN InheritanceFlags Enumeration.
path
yes
    File or Directory
    propagation
    no None
    • None
    • NoPropagateInherit
    • InheritOnly
    Propagation flag on the ACL rules. For more information on the choices see MSDN PropagationFlags Enumeration.
    rights
    yes none
    • AppendData
    • ChangePermissions
    • Delete
    • DeleteSubdirectoriesAndFiles
    • ExecuteFile
    • FullControl
    • ListDirectory
    • Modify
    • Read
    • ReadAndExecute
    • ReadAttributes
    • ReadData
    • ReadExtendedAttributes
    • ReadPermissions
    • Synchronize
    • TakeOwnership
    • Traverse
    • Write
    • WriteAttributes
    • WriteData
    • WriteExtendedAttributes
    The rights/permissions that are to be allowed/denyed for the specified user or group for the given src file or directory. Can be entered as a comma separated list (Ex. "Modify, Delete, ExecuteFile"). For more information on the choices see MSDN FileSystemRights Enumeration.
    state
    no present
    • present
    • absent
    Specify whether to add present or remove absent the specified access rule
    type
    yes none
    • allow
    • deny
    Specify whether to allow or deny the rights specified
    user
    yes none
      User or Group to add specified rights to act on src file/folder

      Examples

      # Restrict write,execute access to User Fed-Phil
      $ ansible -i hosts -m win_acl -a "user=Fed-Phil path=C:\Important\Executable.exe type=deny rights='ExecuteFile,Write'" all
      
      # Playbook example
      # Add access rule to allow IIS_IUSRS FullControl to MySite
      ---
      - name: Add IIS_IUSRS allow rights
        win_acl:
          path: 'C:\inetpub\wwwroot\MySite'
          user: 'IIS_IUSRS'
          rights: 'FullControl'
          type: 'allow'
          state: 'present'
          inherit: 'ContainerInherit, ObjectInherit'
          propagation: 'None'
      
      # Remove previously added rule for IIS_IUSRS
      - name: Remove FullControl AccessRule for IIS_IUSRS
          path: 'C:\inetpub\wwwroot\MySite'
          user: 'IIS_IUSRS'
          rights: 'FullControl'
          type: 'allow'
          state: 'absent'
          inherit: 'ContainerInherit, ObjectInherit'
          propagation: 'None'
      
      # Deny Intern
      - name: Deny Deny
          path: 'C:\Administrator\Documents'
          user: 'Intern'
          rights: 'Read,Write,Modify,FullControl,Delete'
          type: 'deny'
          state: 'present'
      

      This is an Extras Module

      For more information on what this means please read Extras Modules

      For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Helping Testing PRs and Developing Modules.