Manage DACLs on Windows
depends: |
|
---|
salt.modules.win_dacl.
User
¶class object that returns a users SID
salt.modules.win_dacl.
add_ace
(path, objectType, user, permission, acetype, propagation)¶add an ace to an object
path: path to the object (i.e. c:tempfile, HKEY_LOCAL_MACHINESOFTWAREKEY, etc) user: user to add permission: permissions for the user acetypes: either allow/deny for each user/permission (ALLOW, DENY) propagation: how the ACE applies to children for Registry Keys and Directories(KEY, KEY&SUBKEYS, SUBKEYS)
CLI Example:
allow domain
akeuser' 'FULLCONTROL' 'ALLOW' 'KEY&SUBKEYS'
salt.modules.win_dacl.
check_ace
(path, objectType, user=None, permission=None, acetype=None, propagation=None, exactPermissionMatch=False)¶checks a path to verify the ACE (access control entry) specified exists returns 'Exists' true if the ACE exists, false if it does not
path: path to the file/reg key user: user that the ACL is for permission: permission to test for (READ, FULLCONTROl, etc) acetype: the type of ACE (ALLOW or DENY) propagation: the propagation type of the ACE (FILES, FOLDERS, KEY, KEY&SUBKEYS, SUBKEYS, etc) exactPermissionMatch: the ACL must match exactly, IE if READ is specified, the user must have READ exactly and not FULLCONTROL (which also has the READ permission obviously)
salt.modules.win_dacl.
check_inheritance
(path, objectType)¶check a specified path to verify if inheritance is enabled returns 'Inheritance' of True/False
hkey: HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, etc path: path of the registry key to check
salt.modules.win_dacl.
daclConstants
¶dacl constants used throughout the module
getAceTypeBit
(t)¶returns the acetype bit of a text value
getAceTypeText
(t)¶returns the textual representation of a acetype bit
getObjectTypeBit
(t)¶returns the bit value of the string object type
getPermissionBit
(t, m)¶returns a permission bit of the string permission value for the specified object type
getPermissionText
(t, m)¶returns the permission textual representation of a specified permission bit/object type
getPropagationBit
(t, p)¶returns the propagation bit of a text value
getPropagationText
(t, p)¶returns the textual representation of a propagation bit
getSecurityHkey
(s)¶returns the necessary string value for an HKEY for the win32security module
processPath
(path, objectType)¶salt.modules.win_dacl.
disable_inheritance
(path, objectType, copy=True)¶disable inheritance on an object
copy = True will copy the Inerhited ACEs to the DACL before disabling inheritance
salt.modules.win_dacl.
enable_inheritance
(path, objectType, clear=False)¶enable/disable inheritance on an object
clear = True will remove non-Inherited ACEs from the ACL
salt.modules.win_dacl.
get
(path, objectType)¶get the acl of an object
salt.modules.win_dacl.
rm_ace
(path, objectType, user, permission, acetype, propagation)¶remove an ace to an object
path: path to the object (i.e. c:tempfile, HKEY_LOCAL_MACHINESOFTWAREKEY, etc) user: user to remove permission: permissions for the user acetypes: either allow/deny for each user/permission (ALLOW, DENY) propagation: how the ACE applies to children for Registry Keys and Directories(KEY, KEY&SUBKEYS, SUBKEYS)
*The entire ACE must match to be removed*
CLI Example:
remove allow domain
akeuser' 'FULLCONTROL' 'ALLOW' 'KEY&SUBKEYS'