New-CMRequirementRuleFilePermissionValue
Create a requirement rule to verify file permissions.
Syntax
New-CMRequirementRuleFilePermissionValue
-ControlEntry <FileSystemAccessControlEntry[]>
[-Exclusive <Boolean>]
[-InputObject] <IResultObject>
[-DisableWildcardHandling]
[-ForceWildcardHandling]
[<CommonParameters>]
Description
Use this cmdlet to create a requirement rule on an application deployment type that verifies file permissions. It requires a custom global condition of data type File.
Tip
For comparison, if you manually create this requirement rule in the Configuration Manager console, select the following options:
- Category: Custom
- Condition: Select a custom global condition of data type File
- Rule type: Value
- Property: Permissions
After you use this cmdlet, then use one of the Add- or Set- cmdlets for deployment types. Pass this requirement rule object to either the AddRequirement or RemoveRequirement parameters.
For more information, see Deployment type Requirements and Create global conditions.
Note
Run Configuration Manager cmdlets from the Configuration Manager site drive, for example PS XYZ:\>
. For more information, see getting started.
Examples
Example 1: Add a requirement rule for file permissions
This example first uses the Get-CMGlobalCondition cmdlet to get a custom global condition. Then it uses the New-CMFileSystemAccessControlEntry cmdlet to create two access control entries for specific users. Next it creates the requirement rule object to check that the file has the permissions specified in the access control entries. Finally it passes that rule object to the Set-CMScriptDeploymentType cmdlet to add the requirement.
$myGC = Get-CMGlobalCondition -Name "LOB app data file"
$userName = "contoso\jqpublic"
$ce = New-CMFileSystemAccessControlEntry -GroupOrUserName $userName -AccessOption Allow -Permission Read,Write
$userName2 = "contoso\jdoe"
$ce2 = New-CMFileSystemAccessControlEntry -GroupOrUserName $userName2 -AccessOption Allow -Permission Read
$myRule = New-CMRequirementRuleFilePermissionValue -GlobalCondition $myGC -ControlEntry $ce,$ce2
Set-CMScriptDeploymentType -ApplicationName "Central app" -DeploymentTypeName "Install" -AddRequirement $myRule
Parameters
-ControlEntry
Specify an array of access control entry objects. An access control entry defines specific permissions for a specific user or group. To get this object, use the New-CMFileSystemAccessControlEntry cmdlet.
Type: | FileSystemAccessControlEntry[] |
Aliases: | ControlEntries, FileSystemAccessControlEntry, FileSystemAccessControlEntries |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-DisableWildcardHandling
This parameter treats wildcard characters as literal character values. You can't combine it with ForceWildcardHandling.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Exclusive
If this parameter is $true
, for the rule to be compliant, it needs to exactly match the specified ACE exactly. Any other permissions on the file cause the rule to fail.
If set to $false
, for the rule to be compliant, the specified ACE must exist, and other permissions can exist as well.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ForceWildcardHandling
This parameter processes wildcard characters and may lead to unexpected behavior (not recommended). You can't combine it with DisableWildcardHandling.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-InputObject
Specify a custom global condition object to use as the basis for this requirement rule. To get this object, use the Get-CMGlobalCondition cmdlet.
To see the list of available File global conditions at the site, use the following PowerShell command:
Get-CMGlobalCondition | Where-Object DataType -eq "File" | Select-Object LocalizedDisplayName
Type: | IResultObject |
Aliases: | GlobalCondition |
Position: | 0 |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Inputs
Microsoft.ConfigurationManagement.ManagementProvider.IResultObject
Outputs
System.Object
Related Links
- New-CMFileSystemAccessControlEntry
- New-CMRequirementRuleActiveDirectorySiteValue
- New-CMRequirementRuleBooleanValue
- New-CMRequirementRuleCMSiteValue
- New-CMRequirementRuleCommonValue
- New-CMRequirementRuleDeviceOwnershipValue
- New-CMRequirementRuleExistential
- New-CMRequirementRuleExpression
- New-CMRequirementRuleFileAttributeValue
- New-CMRequirementRuleFreeDiskSpaceValue
- New-CMRequirementRuleInputTypeValue
- New-CMRequirementRuleOperatingSystemLanguageValue
- New-CMRequirementRuleOperatingSystemValue
- New-CMRequirementRuleOUValue
- New-CMRequirementRuleRegistryKeyPermissionValue
- New-CMRequirementRuleScreenResolutionValue
- Get-CMGlobalCondition
- Deployment type Requirements
- Create global conditions