4.16.14 Change file or folder access permissions
Function
You can change the access permission of a specified user for a specified file on the Windows execution-target server by using this plug-in.
You can specify a folder as a target of access permission change. Specify a folder name for the file name of the access permission setting target (the common.targetFileName property).
You can specify a group as a target of access permission change. Specify a group name for the OS user name (the Windows.osUserName property).
You can change whether to allow or deny accesses by using the Set-ACL commandlet.
You can delete access permissions that have been set for the specified user by specifying "yes" (delete) for the deletion of allowed access permissions (the Windows.allowAccessPermissionDelete property) and the deletion of denied access permissions (the Windows.denyAccessPermissionDelete property).
The following is an explanation about the file name of the access permission setting target (the common.targetFileName property):
- Specify a string of 256 or fewer characters.
- To specify a file as a target, specify the file name by using a full path.
- To specify a folder as a target, specify the folder name by using a full path.
OS user name (the Windows.osUserName property)
- Specify 256 or fewer half-width alphanumeric characters, hyphens (-), exclamation marks (!), hash marks (#), tildes (~), underscores (_), periods (.) and yen signs (¥).
- To set access permissions for a user, specify the user name.
- To specify a domain user, use the format <NetBIOS-domain-name>\<domain-user-name>.
Specify 15 or fewer characters for <NetBIOS-domain-name> and 20 or fewer characters for <domain-user-name>.
- To set access permissions for a group, specify the group name.
- To specify a domain group, use the format <NetBIOS-domain-name>\<domain-group-name>.
Specify 15 or fewer characters for <NetBIOS-domain-name> and 64 or fewer characters for <domain-group-name>.
The following is an explanation of the access permissions to be allowed (the Windows.allowAccessPermission property):
- Specify the access permissions to be allowed. To specify multiple access permissions, use commas to delimit them.
- Access permissions that can be specified are:
FullControl
Modify
ReadAndExecute
Read
Write
The following is an explanation of the deletion of allowed access permissions (the Windows.allowAccessPermissionDelete property):
- Specify "yes" (delete) or "no" (do not delete).
- If this property is specified together with the access permissions to be allowed (the Windows.allowAccessPermission property), the access permissions that have been set will be deleted, and then the access permissions to be allowed will be set.
The following is an explanation of the access permission to be denied (the Windows.denyAccessPermission property):
- Specify the access permissions to be denied. To specify multiple access permissions, use commas to delimit them.
- Access permissions that can be specified are:
FullControl
Modify
ReadAndExecute
Read
Write
- If the same access permissions as the access permissions to be allowed are specified for the access permissions to be denied, the access permissions to be denied are given higher priority.
The following is an explanation of the deletion of denied access permissions (the Windows.denyAccessPermissionDelete property):
- Specify "yes" (delete) or "no" (do not delete).
- If this property is specified together with the access permission to be denied (the Windows.denyAccessPermission property), the access permissions that have been set will be deleted, and then the access permissions to be denied will be set.
Use situation
You can use this plug-in to change access permissions for files or folders.
Prerequisites
For the most recent information about the prerequisite products for the system, prerequisite products for the execution-target server, and the supported OSs for the execution-target server, see the release notes.
[Prerequisite products for the system]
JP1/Automatic Operation 11-00 or later
[Prerequisite products for the execution-target server]
None.
[Supported OSs for the execution-target server]
(1) Windows Server 2008 R2 Standard/Enterprise/Datacenter
(2) Windows Server 2012 Standard/Datacenter, Windows Server 2012 R2 Standard/Datacenter
(3) Windows Server 2016 Standard/Datacenter
[Conditions for using the execution-target server]
(1) Files and folders for which access permissions will be set must exist.
(2) Users and groups for which access permissions will be set must exist.
Cautions
(1) Do not use the following characters for the file name of the access permission setting target (the common.targetFileName property): left angle brackets (<), right angle brackets (>), vertical bars (|), semicolons (;), ampersands (&), asterisks (*), question marks (?), double quotation marks ("), percent signs (%), single quotation marks ('), left square brackets ([), right square brackets (]), grave accent marks (`), or backslashes (/).
(2) This plug-in is intended for normal files and folders. Therefore, it does not handle drives and registries as files or folders.
(3) You cannot change access permissions for multiple files or folders.
(4) You cannot change access permissions inherited from parent objects.
In addition, you cannot delete such permissions by specifying "yes (delete)" for the deletion of allowed access permissions (the Windows.allowAccessPermissionDelete property) and the deletion of denied access permissions (the Windows.denyAccessPermissionDelete property).
(5) If the following users do not have permissions to set access permissions for the file or folder that is specified for the file name of the access permission setting target (the common.targetFileName property), this plug-in might end abnormally. Check the access permissions that are specified for the file or folder.
- Built-in administrators
- Users who belong to the Administrators group
- Built-in administrators of Active Directory
- Users who belong to the Domain Admins group of Active Directory
Version
02.00.00
Plug-in tags
Control OS,Windows
Plug-in name displayed in the task log
osSetPermissionWin
Return code
0: Normal
12: Error (mistake by the user): A property is invalid.
27: Error (Check the details on the error in the task log.)
41: Error (An error was detected in the component.): A property was not entered. (An error was detected in the component script.)
Property list
The following table lists the properties:
Property key |
Property name |
Description |
Default value |
I/O type |
Required |
---|---|---|---|---|---|
plugin.destinationHost |
Host name of the execution target server |
Specify the host name or IP address of the server on which this plugin will be executed. IPv6 addresses are not supported. |
-- |
Input |
R |
common.targetFileName |
File to which access permissions are set |
Specify the full path to the file or folder for which you want to change access permissions. |
-- |
Input |
R |
Windows.osUserName |
OS user name |
Specify the user name or group name of the OS user to whom access permissions are change. |
-- |
Input |
R |
Windows.allowAccessPermission |
Allowed access permissions |
Specify the access permissions given to the user. To specify multiple access permissions, separate the permissions with commas. |
-- |
Input |
O |
Windows.allowAccessPermissionDelete |
Delete allowed access permissions |
To delete the access permissions that are already given to the specified OS user, specify yes. If you do not want to delete the permissions, specify no. |
no |
Input |
R |
Windows.denyAccessPermission |
Denied access permissions |
Specify the access permissions not given to the user. To specify multiple access permissions, separate the permissions with commas. |
-- |
Input |
O |
Windows.denyAccessPermissionDelete |
Delete denied access permissions |
To delete the access permissions that are not given to the specified OS user, specify yes. If you do not want to delete the permissions, specify no. |
no |
Input |
R |
common.returnValue |
Return value for the plugin |
The return value of this plugin stored. |
-- |
Output |
O |