win_acl - Set file/directory permissions for a system user or group.

New in version 2.0.


  • Add or remove rights/permissions for a given user or group for the specified src file or folder.
  • If adding ACL’s for AppPool identities (available since 2.3), the Windows “Feature Web-Scripting-Tools” must be enabled


parameter required default choices comments
no For Leaf File, None; For Directory, ContainerInherit, ObjectInherit;
  • ContainerInherit
  • ObjectInherit
  • None
Inherit flags on the ACL rules. Can be specified as a comma separated list (Ex. "ContainerInherit, ObjectInherit"). For more information on the choices see MSDN InheritanceFlags Enumeration.
File or Directory
no None
  • None
  • NoPropagateInherit
  • InheritOnly
Propagation flag on the ACL rules. For more information on the choices see MSDN PropagationFlags Enumeration.
yes none
  • AppendData
  • ChangePermissions
  • Delete
  • DeleteSubdirectoriesAndFiles
  • ExecuteFile
  • FullControl
  • ListDirectory
  • Modify
  • Read
  • ReadAndExecute
  • ReadAttributes
  • ReadData
  • ReadExtendedAttributes
  • ReadPermissions
  • Synchronize
  • TakeOwnership
  • Traverse
  • Write
  • WriteAttributes
  • WriteData
  • WriteExtendedAttributes
The rights/permissions that are to be allowed/denyed for the specified user or group for the given src file or directory. Can be entered as a comma separated list (Ex. "Modify, Delete, ExecuteFile"). For more information on the choices see MSDN FileSystemRights Enumeration.
no present
  • present
  • absent
Specify whether to add present or remove absent the specified access rule
yes none
  • allow
  • deny
Specify whether to allow or deny the rights specified
yes none
User or Group to add specified rights to act on src file/folder


- name: Restrict write and execute access to User Fed-Phil
    user: Fed-Phil
    path: C:\Important\Executable.exe
    type: deny
    rights: ExecuteFile,Write

- name: Add IIS_IUSRS allow rights
    path: C:\inetpub\wwwroot\MySite
    user: IIS_IUSRS
    rights: FullControl
    type: allow
    state: present
    inherit: ContainerInherit, ObjectInherit
    propagation: 'None'

# Remove previously added rule for IIS_IUSRS
- name: Remove FullControl AccessRule for IIS_IUSRS
    path: C:\inetpub\wwwroot\MySite
    user: IIS_IUSRS
    rights: FullControl
    type: allow
    state: absent
    inherit: ContainerInherit, ObjectInherit
    propagation: 'None'

# Deny Intern
- name: Deny Deny
    path: C:\Administrator\Documents
    user: Intern
    rights: Read,Write,Modify,FullControl,Delete
    type: deny
    state: present


This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.


This module is maintained by those with core commit privileges

For more information on what this means please read Module Support

For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Testing Ansible and Developing Modules.

© 2012–2017 Michael DeHaan
© 2017 Red Hat, Inc.
Licensed under the GNU General Public License version 3.