salt.modules.win_dacl

Manage DACLs on Windows

depends:
  • winreg Python module
class salt.modules.win_dacl.User

class object that returns a users SID

salt.modules.win_dacl.add_ace(path, objectType, user, permission, acetype, propagation)

add an ace to an object

path: path to the object (i.e. c:\temp\file, HKEY_LOCAL_MACHINE\SOFTWARE\KEY, etc) user: user to add permission: permissions for the user acetypes: either allow/deny for each user/permission (ALLOW, DENY) propagation: how the ACE applies to children for Registry Keys and Directories(KEY, KEY&SUBKEYS, SUBKEYS)

CLI Example:

allow domain\fakeuser full control on HKLM\\SOFTWARE\\somekey, propagate to this key and subkeys
    salt 'myminion' win_dacl.add_ace 'HKEY_LOCAL_MACHINE\\SOFTWARE\\somekey' 'Registry' 'domain\fakeuser' 'FULLCONTROL' 'ALLOW' 'KEY&SUBKEYS'
salt.modules.win_dacl.check_ace(path, objectType, user=None, permission=None, acetype=None, propagation=None, exactPermissionMatch=False)

checks a path to verify the ACE (access control entry) specified exists returns 'Exists' true if the ACE exists, false if it does not

path: path to the file/reg key user: user that the ACL is for permission: permission to test for (READ, FULLCONTROl, etc) acetype: the type of ACE (ALLOW or DENY) propagation: the propagation type of the ACE (FILES, FOLDERS, KEY, KEY&SUBKEYS, SUBKEYS, etc) exactPermissionMatch: the ACL must match exactly, IE if READ is specified, the user must have READ exactly and not FULLCONTROL (which also has the READ permission obviously)

salt.modules.win_dacl.check_inheritance(path, objectType)

check a specified path to verify if inheritance is enabled returns 'Inheritance' of True/False

hkey: HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, etc path: path of the registry key to check

class salt.modules.win_dacl.daclConstants

dacl constants used throughout the module

getAceTypeBit(t)

returns the acetype bit of a text value

getAceTypeText(t)

returns the textual representation of a acetype bit

getObjectTypeBit(t)

returns the bit value of the string object type

getPermissionBit(t, m)

returns a permission bit of the string permission value for the specified object type

getPermissionText(t, m)

returns the permission textual representation of a specified permission bit/object type

getPropagationBit(t, p)

returns the propagation bit of a text value

getPropagationText(t, p)

returns the textual representation of a propagation bit

getSecurityHkey(s)

returns the necessary string value for an HKEY for the win32security module

processPath(path, objectType)
processes a path/object type combo and returns:
registry types with the correct HKEY text representation files/directories with environment variables expanded
salt.modules.win_dacl.disable_inheritance(path, objectType, copy=True)

disable inheritance on an object

copy = True will copy the Inerhited ACEs to the DACL before disabling inheritance

salt.modules.win_dacl.enable_inheritance(path, objectType, clear=False)

enable/disable inheritance on an object

clear = True will remove non-Inherited ACEs from the ACL

salt.modules.win_dacl.get(path, objectType)

get the acl of an object

salt.modules.win_dacl.rm_ace(path, objectType, user, permission, acetype, propagation)

remove an ace to an object

path: path to the object (i.e. c:\temp\file, HKEY_LOCAL_MACHINE\SOFTWARE\KEY, etc) user: user to remove permission: permissions for the user acetypes: either allow/deny for each user/permission (ALLOW, DENY) propagation: how the ACE applies to children for Registry Keys and Directories(KEY, KEY&SUBKEYS, SUBKEYS)

*The entire ACE must match to be removed*

CLI Example:

remove allow domain\fakeuser full control on HKLM\\SOFTWARE\\somekey propagated to this key and subkeys
    salt 'myminion' win_dacl.rm_ace 'Registry' 'HKEY_LOCAL_MACHINE\\SOFTWARE\\somekey' 'domain\fakeuser' 'FULLCONTROL' 'ALLOW' 'KEY&SUBKEYS'