Curiosity CLI

upload-folder-with-permissions

Windows only

This command only runs on the Windows build of the CLI. Calling it on Linux/macOS throws NotImplementedException: Only the windows build of the CLI supports permission sync.

One-shot upload of a network folder that also reads each file's Active Directory ACLs and propagates them into the workspace, so users only see files they have permission to access at the OS level.

For a continuous version, use monitor-with-permissions.

Syntax

Usage: curiosity-cli upload-folder-with-permissions --server <url> --token <token> --path <dir> --permissions-cache <file> --fetch-server-state <bool> [options]

curiosity-cli upload-folder-with-permissions \
  --server             https://my-workspace.example.com/ \
  --token              $CURIOSITY_TOKEN \
  --path               \\\\fileserver\\Shared \
  --permissions-cache  C:\\curiosity\\acl-cache.json \
  --fetch-server-state false

Options

Same set as upload-folder, plus:

Option Description
--permissions-cache Path to a .json file used to cache resolved ACL → user/group mappings between runs. Alias -c. Required.

Force-applied behavior:

  • --upload-to is overridden to Custom — ACLs come from the file system, not from a single target group/user. Don't pass --upload-to / --target-uid explicitly.
  • The CLI calls graph.MapPermissionsAsync for each file as it's ingested, building the ACL graph in the workspace.

Why a cache file?

Resolving a Windows SID to a user or group inside the workspace's graph is the expensive part of permission ingest. The cache stores the SID → workspace-UID mapping so re-runs only re-resolve identities that changed.

  • Keep the file path stable across runs.
  • Snapshot it alongside your other deployment artifacts if you ever need to roll back.
  • Delete it to force a full re-resolve.

Account requirements

The account running the CLI must be able to:

  • Read every file under --path (use --username / --password / --domain to impersonate a service account if needed).
  • Read the security descriptors (i.e., have READ_CONTROL) on those files.
  • Query Active Directory for the SIDs found in the ACLs.

Remarks

  • Use this command on Windows when ingested files must inherit their Active Directory ACLs so users only see what they can access at the OS level. For ongoing sync, use monitor-with-permissions.
  • It runs only on the Windows build of the CLI and forces --upload-to Custom; don't pass --upload-to / --target-uid yourself.
  • Keep the --permissions-cache file path stable across runs to avoid re-resolving every SID; the account must be able to read the files, their security descriptors, and query Active Directory.

See also

© 2026 Curiosity. All rights reserved.