4.16.14 Change file or folder access permissions

Function

You can change the access permission of a specified user for a specified file on the Windows execution-target server by using this plug-in.

You can specify a folder as a target of access permission change. Specify a folder name for the file name of the access permission setting target (the common.targetFileName property).

You can specify a group as a target of access permission change. Specify a group name for the OS user name (the Windows.osUserName property).

You can change whether to allow or deny accesses by using the Set-ACL commandlet.

You can delete access permissions that have been set for the specified user by specifying "yes" (delete) for the deletion of allowed access permissions (the Windows.allowAccessPermissionDelete property) and the deletion of denied access permissions (the Windows.denyAccessPermissionDelete property).

The following is an explanation about the file name of the access permission setting target (the common.targetFileName property):

- Specify a string of 256 or fewer characters.

- To specify a file as a target, specify the file name by using a full path.

- To specify a folder as a target, specify the folder name by using a full path.

OS user name (the Windows.osUserName property)

- Specify 256 or fewer half-width alphanumeric characters, hyphens (-), exclamation marks (!), hash marks (#), tildes (~), underscores (_), periods (.) and yen signs (¥).

- To set access permissions for a user, specify the user name.

- To specify a domain user, use the format <NetBIOS-domain-name>\<domain-user-name>.

Specify 15 or fewer characters for <NetBIOS-domain-name> and 20 or fewer characters for <domain-user-name>.

- To set access permissions for a group, specify the group name.

- To specify a domain group, use the format <NetBIOS-domain-name>\<domain-group-name>.

Specify 15 or fewer characters for <NetBIOS-domain-name> and 64 or fewer characters for <domain-group-name>.

The following is an explanation of the access permissions to be allowed (the Windows.allowAccessPermission property):

- Specify the access permissions to be allowed. To specify multiple access permissions, use commas to delimit them.

- Access permissions that can be specified are:

FullControl

Modify

ReadAndExecute

Read

Write

The following is an explanation of the deletion of allowed access permissions (the Windows.allowAccessPermissionDelete property):

- Specify "yes" (delete) or "no" (do not delete).

- If this property is specified together with the access permissions to be allowed (the Windows.allowAccessPermission property), the access permissions that have been set will be deleted, and then the access permissions to be allowed will be set.

The following is an explanation of the access permission to be denied (the Windows.denyAccessPermission property):

- Specify the access permissions to be denied. To specify multiple access permissions, use commas to delimit them.

- Access permissions that can be specified are:

FullControl

Modify

ReadAndExecute

Read

Write

- If the same access permissions as the access permissions to be allowed are specified for the access permissions to be denied, the access permissions to be denied are given higher priority.

The following is an explanation of the deletion of denied access permissions (the Windows.denyAccessPermissionDelete property):

- Specify "yes" (delete) or "no" (do not delete).

- If this property is specified together with the access permission to be denied (the Windows.denyAccessPermission property), the access permissions that have been set will be deleted, and then the access permissions to be denied will be set.

Use situation

You can use this plug-in to change access permissions for files or folders.

Prerequisites

For the most recent information about the prerequisite products for the system, prerequisite products for the execution-target server, and the supported OSs for the execution-target server, see the release notes.

[Prerequisite products for the system]

JP1/Automatic Operation 11-00 or later

[Prerequisite products for the execution-target server]

None.

[Supported OSs for the execution-target server]

(1) Windows Server 2008 R2 Standard/Enterprise/Datacenter

(2) Windows Server 2012 Standard/Datacenter, Windows Server 2012 R2 Standard/Datacenter

(3) Windows Server 2016 Standard/Datacenter

(4) Windows Server 2019 Standard/Datacenter

[Conditions for using the execution-target server]

(1) Files and folders for which access permissions will be set must exist.

(2) Users and groups for which access permissions will be set must exist.

Cautions

(1) Do not use the following characters for the file name of the access permission setting target (the common.targetFileName property): left angle brackets (<), right angle brackets (>), vertical bars (|), semicolons (;), ampersands (&), asterisks (*), question marks (?), double quotation marks ("), percent signs (%), single quotation marks ('), left square brackets ([), right square brackets (]), grave accent marks (`), or backslashes (/).

(2) This plug-in is intended for normal files and folders. Therefore, it does not handle drives and registries as files or folders.

(3) You cannot change access permissions for multiple files or folders.

(4) You cannot change access permissions inherited from parent objects.

In addition, you cannot delete such permissions by specifying "yes (delete)" for the deletion of allowed access permissions (the Windows.allowAccessPermissionDelete property) and the deletion of denied access permissions (the Windows.denyAccessPermissionDelete property).

(5) If the following users do not have permissions to set access permissions for the file or folder that is specified for the file name of the access permission setting target (the common.targetFileName property), this plug-in might end abnormally. Check the access permissions that are specified for the file or folder.

- Built-in administrators

- Users who belong to the Administrators group

- Built-in administrators of Active Directory

- Users who belong to the Domain Admins group of Active Directory

Version

02.00.00

Plug-in tags

Control OS,Windows

Plug-in name displayed in the task log

osSetPermissionWin

Return code

0: Normal

12: Error (mistake by the user): A property is invalid.

27: Error (Check the details on the error in the task log.)

41: Error (An error was detected in the component.): A property was not entered. (An error was detected in the component script.)

Property list

The following table lists the properties:

Property key	Property name	Description	Default value	I/O type	Required
plugin.destinationHost	Host name of the execution target server	Specify the host name or IP address of the server on which this plugin will be executed. IPv6 addresses are not supported.	--	Input	R
common.targetFileName	File to which access permissions are set	Specify the full path to the file or folder for which you want to change access permissions.	--	Input	R
Windows.osUserName	OS user name	Specify the user name or group name of the OS user to whom access permissions are change.	--	Input	R
Windows.allowAccessPermission	Allowed access permissions	Specify the access permissions given to the user. To specify multiple access permissions, separate the permissions with commas.	--	Input	O
Windows.allowAccessPermissionDelete	Delete allowed access permissions	To delete the access permissions that are already given to the specified OS user, specify yes. If you do not want to delete the permissions, specify no.	no	Input	R
Windows.denyAccessPermission	Denied access permissions	Specify the access permissions not given to the user. To specify multiple access permissions, separate the permissions with commas.	--	Input	O
Windows.denyAccessPermissionDelete	Delete denied access permissions	To delete the access permissions that are not given to the specified OS user, specify yes. If you do not want to delete the permissions, specify no.	no	Input	R
common.returnValue	Return value for the plugin	The return value of this plugin stored.	--	Output	O

To Page Top