diff --git a/defaults/main.yml b/defaults/main.yml
index 6a01c197..80605bf3 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -304,7 +304,7 @@ security_sshd_client_alive_interval: 600                     # V-72237
 security_sshd_client_alive_count_max: 0                      # V-72241
 # Print the last login for a user when they log in over ssh.
 security_sshd_print_last_log: yes                            # V-72245
-# Permit direct root logins
+# Permit direct root logins ('yes', 'no', 'without-password', 'prohibit-password', 'forced-commands-only')
 security_sshd_permit_root_login: no                          # V-72247
 # Disallow authentication using known hosts authentication.
 security_sshd_disallow_known_hosts_auth: yes                 # V-72249 / V-72239
diff --git a/doc/metadata/rhel7/V-72247.rst b/doc/metadata/rhel7/V-72247.rst
index 07b29567..35684b0a 100644
--- a/doc/metadata/rhel7/V-72247.rst
+++ b/doc/metadata/rhel7/V-72247.rst
@@ -7,7 +7,9 @@ tag: sshd
 The ``PermitRootLogin`` configuration is set to ``no`` in
 ``/etc/ssh/sshd_config`` and sshd is restarted.
 
-Deployers can opt out of this change by setting the following Ansible variable:
+Deployers can select another setting for PermitRootLogin, from the available
+options ``without-password``, ``prohibit-password``, ``forced-commands-only``,
+``yes``, or ``no`` by setting the following variable:
 
 .. code-block:: yaml
 
diff --git a/releasenotes/notes/permitrootlogin_options-a62e33ccc4a69657.yaml b/releasenotes/notes/permitrootlogin_options-a62e33ccc4a69657.yaml
new file mode 100644
index 00000000..ebe6b02f
--- /dev/null
+++ b/releasenotes/notes/permitrootlogin_options-a62e33ccc4a69657.yaml
@@ -0,0 +1,8 @@
+---
+features:
+  - The ``security_sshd_permit_root_login`` setting can
+    now be set to change the ``PermitRootLogin`` setting
+    in ``/etc/ssh/sshd_config`` to any of the possible
+    options. Set ``security_sshd_permit_root_login`` to
+    one of ``without-password``, ``prohibit-password``,
+    ``forced-commands-only``, ``yes`` or ``no``.
diff --git a/templates/sshd_config_block.j2 b/templates/sshd_config_block.j2
index 28c6fd9f..586a1453 100644
--- a/templates/sshd_config_block.j2
+++ b/templates/sshd_config_block.j2
@@ -22,9 +22,14 @@ ClientAliveCountMax {{ security_sshd_client_alive_count_max }}
 # V-72245
 PrintLastLog yes
 {% endif %}
-{% if not (security_sshd_permit_root_login | bool) %}
+{% if security_sshd_permit_root_login | string in ['False', 'True', 'without-password', 'prohibit-password', 'forced-commands-only', 'no', 'yes' ] %}
+{%   if security_sshd_permit_root_login | string in ['False', 'True'] %}
+{%     set _security_sshd_permit_root_login = ((security_sshd_permit_root_login | bool) | ternary('yes','no')) %}
+{%   else %}
+{%     set _security_sshd_permit_root_login = security_sshd_permit_root_login %}
+{%   endif %}
 # V-72247
-PermitRootLogin no
+PermitRootLogin {{ _security_sshd_permit_root_login }}
 {% endif %}
 {% if security_sshd_disallow_known_hosts_auth | bool %}
 # V-72249 / V-72239