Grants

Grants are currently in beta.

You can define how your Tailscale network (called a tailnet) works using tools like the tailnet policy file. The tailnet policy file consists of multiple sections, each with a different purpose. At the core of the tailnet policy is the grants array. Each entry grants source the specified capabilities on the destination. You can use the grants object to grant capabilities at the IP layer (ip) or the application layer (app). The Tailscale policy engine compiles all capabilities and sends them to each Tailscale client. Each client then caches the policies locally to improve performance and reduce reliance on the coordination server.

Grants and ACLs

Grants and ACLs are at feature parity for network-level permissions, including features like device posture, ACL tests, and previews. You can use both grants and ACLs simultaneously in your tailnet policy. However, the best practice is to prefer grants because they offer more power and flexibility for most users.

Reference

The grants section of your tailnet policy file is an array of objects, where each object must have a network source field (src) and a network destination field (dst). Grant objects can optionally include the ip, app, or srcPosture fields.

src: An array of selectors that define the source of the grant.
dst: An array of selectors that define the destination of the grant.
ip (Optional): An array of strings that define the network-layer capabilities to grant.
app (Optional): A map of strings to arrays of objects that define the application-layer capabilities to grant.
srcPosture (Optional): An array of device posture conditions to further restrict the src.

`src`

The src field is an array of selectors that define the target network sources. A network source is the device or node that initiates a network communication or sends data packets.

You can use any of the following selectors to define the network source

Selector	Description	Example
`*`	Select all sources in your tailnet and from approved subnet routes. This does not include devices outside your tailnet (unless they're on an approved subnet).
`autogroup:danger-all`	Select all sources, including those outside your tailnet.
`group:<group name>`	Select all members of a specific group.	`group:prod`
`<email>`	Select a specific user by their email address. For GitHub users, use `username@github`. For Passkey users, use `username@passkey`.	`name@example.com`, `username@github`, `username@passkey`
`tag:<tag name>`	Select all devices with a specific tag.	`tag:tailsql`
`autogroup:<role>`	Select all members of a specific role. Possible roles are `admin`, `member`, `owner`, `it-admin`, `network-admin`, `billing-admin`, and `auditor`.	`autogroup:admin`
`autogroup:tagged`	Select all devices with a tag (any tag).
`autogroup:shared`	Select all devices that belong to users who have accepted a sharing invitation to your tailnet.
`<cidr>/<ip>`	Select all devices in a CIDR range.	`10.0.0.0/8`, `100.64.0.5`.
`<hostAlias>`	Select a host by its user-defined alias. You can use this selector to grant access to a specific device or a CIDR range. You can find `hostAlias` definitions in the `hosts` section.	`example-host-name`

`dst`

The dst field is an array of selectors that define the destination of the grant. A network destination refers to the device or node that receives the data packets from the source.

You can use any of the following selectors to define the network destination:

Selector	Description	Example
`*`	Select all sources in your tailnet and from approved subnet routes. This does not include devices outside your tailnet (unless they're on an approved subnet).
`autogroup:danger-all`	Select all sources, including those outside your tailnet.
`group:<group name>`	Select all members of a specific group.	`group:analytics`
`<email>`	Select a specific user by their email address. For GitHub users, use `username@github`. For Passkey users, use `username@passkey`.	`name@example.com`, `username@github`, `username@passkey`
`tag:<tag name>`	Select all devices with a specific tag.	`tag:tailsql`
`autogroup:<role>`	Select all members of a specific role. Possible roles are `admin`, `member`, `owner`, `it-admin`, `network-admin`, `billing-admin`, and `auditor`.	`autogroup:admin`
`autogroup:tagged`	Select all devices with a tag (any tag).
`autogroup:internet`	`autogroup:internet` is a special autogroup selector that lets you grant access to use an exit node to access the internet.
`autogroup:self`	Select a user's devices. `autogroup:self` is a special autogroup selector that, when combined with a `src` selector of `autogroup:member`, lets you grant access to a user's own devices from their own devices.
`<cidr>/<ip>`	Select all devices in a CIDR range.	`10.0.0.0/8`, `100.64.0.5`.
`<hostAlias>`	Select a host by its user-defined alias. You can use this selector to grant access to a specific device or a CIDR range. You can find `hostAlias` definitions in the `hosts` section.	`example-host-name`

`ip`

The ip field is an array of strings that grant IP layer capabilities. You can use any of the following selectors to grant access to IP layer capabilities:

Selector	Description	Example
`*`	Allow access to all ports on the destination (implies TCP, UDP, and ICMP access).
`<port>`	Allow access to a specific port on the destination (implies TCP, UDP, and ICMP access). You can specify a single port (`443`) or a range of ports (`80-443`).	`443`, `80-443`
`<proto>:*`	Allow all ports of the specified protocol (`proto`) access to the destination. This is especially useful for protocols that do not have ports, such as ICMP. For example, `icmp:` or `sctp:`.	`icmp:`, `sctp:`
`<proto>:<port>`	Allow access to a specific protocol and port combination on the destination. You can specify a single port (`tcp:443`) or a range of ports (`tcp:80-443`).	`tcp:443`, `tcp:80-443`

You can specify the IP protocol (proto) as an IANA IP protocol number 1-255 (for example, "16") or one of the following named aliases (for example, "sctp").

Expand named aliases.

Protocol	`proto`	IANA protocol number
Internet Group Management (IGMP)	`igmp`	2
IPv4 encapsulation	`ipv4`, `ip-in-ip`	4
Transmission Control (TCP)	`tcp`	6
Exterior Gateway Protocol (EGP)	`egp`	8
Any private interior gateway	`igp`	9
User Datagram (UDP)	`udp`	17
Generic Routing Encapsulation (GRE)	`gre`	47
Encap Security Payload (ESP)	`esp`	50
Authentication Header (AH)	`ah`	51
Stream Control Transmission Protocol (SCTP)	`sctp`	132

`app`

The app field is an optional field that maps strings to arrays of objects that define the application layer capabilities to grant. The strings are the application layer capabilities to grant, and the objects are the parameters for those capabilities.

The specific application (such as TailSQL) defines the names of capabilities names in the format <domainName>/<capabilityName>.

The domainName groups capabilities into namespaces to avoid collisions with other applications.
The capabilityName defines the specific capability. For example, the TailSQL application defines the tailscale.com/cap/tailsql capability.

The specific application also defines the parameters for each capability. The Tailscale policy engine treats these parameters as opaque JSON objects. The policy engine compiles the parameters and sends them to the Tailscale clients but does not validate them. The Tailscale clients can then use these parameters to make authorization decisions locally.

Tailscale is not involved in creating, naming, or validating application capabilities or their parameters (unless it's a Tailscale application). It's the application developer's responsibility to document all capabilities and parameters.

`srcPosture`

The srcPosture field is an array of device posture conditions you can use to further restrict the network source (src). For example, you can use srcPosture to restrict access to only devices running a specific version of the Tailscale client.

Example scenario

The following scenario demonstrates connecting an application (TailSQL) to Tailscale and fine-tuning access to TailSQL based on tags and groups.

In this example scenario, the tailnet has the following configured:

A prod group for the production team.
An analytics group for the analytics team.
A TailSQL application tagged with tailsql and running on port 443.
A Prometheus server tagged with prom.

The final example grants group:prod access to all TailSQL data sources, grants group:analytics access to the TailSQL warehouse data source, and allows Prometheus to monitor TailSQL.

{
  "grants": [{
    "src": ["group:prod"],
    "dst": ["tag:tailsql"],
    "ip": ["443"],
    "app": {
        "tailscale.com/cap/tailsql": [{
            "dataSrc": ["*"],
        }],
    },
  },{
    "src": ["group:analytics"],
    "dst": ["tag:tailsql"],
    "ip": ["443"],
    "app": {
        "tailscale.com/cap/tailsql": [{
            "dataSrc": ["warehouse"],
        }],
    },
  },{
    "src": ["tag:prom"],
    "dst": ["tag:tailsql"],
    "ip": ["443"],
  }]
}

Expand for step-by-step instructions to re-create the example grants along with context and explanations.

Create a grants object in the tailnet policy file that grants the production group (group:prod) access to the TailSQL interface (identified by tag:tailsql and port 443). The following example lets devices in your tailnet connect in the prod group connect to port 443 of devices tagged with tailsql.
```
{
  "grants": [{
    "src": ["group:prod"],
    "dst": ["tag:tailsql"],
    "ip": ["443"],
  }]
}
```

Allow Prometheus to monitor the TailSQL application. TailSQL already exposes a metrics endpoint reachable on port 443 at /debug/varz. The following example allows Prometheus (identified by tag:prom) access that endpoint.

{
  "grants": [{
    "src": ["group:prod"],
    "dst": ["tag:tailsql"],
    "ip": ["443"],
  },{
    "src": ["tag:prom"],
    "dst": ["tag:tailsql"],
    "ip": ["443"],
  }]
}

Allow users in the analytics group to connect to TailSQL devices by adding "group:analytics" to the src array.
```
{
  "grants": [{
    "src": ["group:prod", "group:analytics"],
    "dst": ["tag:tailsql"],
    "ip": ["443"],
  },{
    "src": ["tag:prom"],
    "dst": ["tag:tailsql"],
    "ip": ["443"],
  }]
}
```
At this point, the example grants Prometheus and the prod and analytics groups access to the shared TailSQL instance. However, the Prometheus server, the prod group, and the analytics group all require access to different datasets. The prod group uses TailSQL to inspect some backups, whereas the analytics group requires access to the data warehouse.

You can configure the grant to only let each group access what it needs (and no more) by leveraging the app field to define application-level capabilities.

Fine-tune access to the TailSQL application by defining two app policies: one that lets the prod group query all data sources. And another that restricts the analytics group's access to only the warehouse data source.

{
  "grants": [{
    "src": ["group:prod"],
    "dst": ["tag:tailsql"],
    "ip": ["443"],
    "app": {
        "tailscale.com/cap/tailsql": [{
            "dataSrc": ["*"],
        }],
    },
  },{
    "src": ["group:analytics"],
    "dst": ["tag:tailsql"],
    "ip": ["443"],
    "app": {
        "tailscale.com/cap/tailsql": [{
            "dataSrc": ["warehouse"],
        }],
    },
  },{
    "src": ["tag:prom"],
    "dst": ["tag:tailsql"],
    "ip": ["443"],
  }]
}

Review the grant using the LocalAPI and the tailscale whois command. In the following example, 100.64.0.5 is part of the prod group and can access all data sources at Tailscale.com/cap/tailsql.

$ tailscale whois 100.64.0.5
Machine:
  Name:          example.ts.net
  ID:            nXXXXXCNTRL
  Addresses:     [100.64.0.5/32 fd7a:115c:a1e0::c477/128]
User:
  Name:     user@example.com
  ID:       12345
Capabilities:
  - tailscale.com/cap/tailsql:
      [
        {
          "dataSrc": [
            "*"
          ]
        },
        {
          "dataSrc": [
            "warehouse"
          ]
        }
      ]