Some minor updates ti acl module

ansible-collections · Oct 12, 2023 · ad53bfe · ad53bfe
1 parent ccf1230
commit ad53bfe
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 11 deletions.
diff --git a/plugins/modules/acl.ps1 b/plugins/modules/acl.ps1
@@ -12,9 +12,10 @@ $spec = @{
         object = @{ type = "str"; required = $true; aliases = "path" }
         principal = @{ type = "str"; required = $true; aliases = "user" }
         rights = @{ type = "str"; required = $true }
-        rights_attr = @{ type = "str" }
+        object_type = @{ type = "str"; aliases = "rights_attr" }
         type = @{ type = "str"; required = $true; choices = "allow", "deny" }
         inherit = @{ type = "str"; default = "None" }
+        inherited_object_type = @{ type = "str" }
         state = @{ type = "str"; default = "present"; choices = "absent", "present" }
     }
 }
@@ -34,8 +35,9 @@ $principal = $module.Params.principal
 $state = $module.Params.state
 $type = $module.Params.type
 $rights = $module.Params.rights
-$rights_attr = $module.Params.rights_attr
+$object_type = $module.Params.object_type
 $inherit = $module.Params.inherit
+$inherited_object_type = $module.Params.inherited_object_type
 
 $user_sid = Convert-ToSID -account_name $principal
 
@@ -44,8 +46,8 @@ Get-ADObject -SearchBase ((Get-ADRootDSE).SchemaNamingContext) -LDAPFilter "(sch
     ForEach-Object { $guidmap[$_.lDAPDisplayName] = [System.GUID]$_.schemaIDGUID }
 
 if ($rights_attr) {
-    if ($guidmap.Contains($rights_attr)) {
-        $objGUID = $guidmap[$rights_attr]
+    if ($guidmap.Contains($object_type)) {
+        $objGUID = $guidmap[$object_type]
     }
     Else {
         $module.FailJson("LDAP attribute $rights_attr does not exist")
@@ -55,6 +57,18 @@ Else {
     $objGUID = [guid]::empty
 }
 
+if ($inherited_object_type) {
+    if ($guidmap.Contains($inherited_object_type)) {
+        $inheritGUID = $guidmap[$inherited_object_type]
+    }
+    Else {
+        $module.FailJson("LDAP attribute $inherited_object_type does not exist")
+    }
+}
+Else {
+    $inheritGUID = [guid]::empty
+}
+
 Try {
     $objRights = [System.DirectoryServices.ActiveDirectoryRights]$rights
     $InheritanceFlag = [System.DirectoryServices.ActiveDirectorySecurityInheritance]$inherit
@@ -67,7 +81,7 @@ Try {
     }
 
     $objUser = New-Object System.Security.Principal.SecurityIdentifier($user_sid)
-    $objACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($objUser, $objRights, $objType, $objGUID, $InheritanceFlag, [guid]::empty)
+    $objACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($objUser, $objRights, $objType, $objGUID, $InheritanceFlag, $inheritGUID)
     $objACL = Get-ACL -Path "AD:\$($object)"
 
     $match = $false

diff --git a/plugins/modules/acl.py b/plugins/modules/acl.py
@@ -22,21 +22,33 @@
     required: yes
     aliases: [ user ]
   rights:
-    description: The rights/permissions that are to be allowed/denied for the object.
+    description:
+    - The rights/permissions that are to be allowed/denied for the object.
+    - The rights can be any right under Microsoft Learn ActiveDirectoryRights
+      U(https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights).
     type: str
     required: yes
-  rights_attr:
-    description: The attribute that the rights are to be allowd/denied for.
+  object_type:
+    description:
+    - The attribute or object type that the rights are to be allowd/denied for.
+    - This can be any LDAP attribute or object type.
     type: str
+    aliases: [ rights_attr ]
   type:
     description: Specify whether to allow or deny the rights specified.
     type: str
     choices: [ allow, deny ]
     required: yes
   inherit:
-    description: Inherit flags on the ACL rules.
+    description:
+    - Inherit flags on the ACL rules.
+    - For more information on the choices see Microsoft Learn ActiveDirectorySecurityInheritance
+      U(https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectorysecurityinheritance).
     type: str
     default: None
+  inherited_object_type:
+    description: The inherited attribute or object type the access rule applies on
+    type: str
   state:
     description: Specify whether to add C(present) or remove C(absent) the specified access rule.
     type: str
@@ -47,9 +59,26 @@
 '''
 
 EXAMPLES = r'''
+- name: Let System Adminstrators create/delete users in the MyAdmins OU
+  microsoft.ad.acl:
+    path: "OU=MyAdmins,DC=domain,DC=test"
+    user: System Administrators
+    rights: CreateChild,DeleteChild
+    rights_attr: user
+    type: allow
+
+- name: Let System Adminstrators manage users in the MyAdmins OU
+  microsoft.ad.acl:
+    path: "CN=System Administrators,OU=MyAdmins,DC=domain,DC=test"
+    user: System Administrators
+    rights: GenericAll
+    inherited_object_type: user
+    inherit: Children
+    type: allow
+
 - name: Set the C(Manager can update membership list) in the C(Managed By) tab
-  win_domain_acl:
-    object: "CN=System Administrators,OU=MyDomain,DC=domain,DC=test"
+  microsoft.ad.acl:
+    object: "CN=System Administrators,OU=MyAdmins,DC=domain,DC=test"
     principal: System Administrators
     rights: WriteProperty
     rights_attr: member