APERTURE IS NOW AVAILABLE - START BUILDING WITH AI SAFELY IN MINUTES, NO WAITLIST.Read more →

Set up admin access

Last validated:

Aperture by Tailscale is currently in alpha.

New Aperture instances grant admin access to everyone by default. Before your team starts using Aperture, restrict admin access to specific users so that only designated administrators can edit settings and view data for all users.

Admins can:

  • Edit the Aperture configuration from the Settings page of the Aperture dashboard.
  • View dashboards, session logs, and usage data for all users.
  • Access all quota buckets and refill them through the API.
  • Access the /metrics Prometheus endpoint (when read_metrics is granted).

Standard users can only view their own dashboard and usage data.

Prerequisites

Before you begin, ensure you have the following:

  • An Aperture instance with at least one configured provider.
  • Access to the Aperture dashboard or your tailnet policy file.
  • Your Tailscale login name (for example, alice@example.com).

Restrict admin access

The default configuration grants everyone the admin role using "src": ["*"]. Replace this with explicit admin grants for specific users.

Do not remove the wildcard admin grant until you have added an explicit admin grant for yourself. Aperture prevents saves that would remove the saving user's admin access, but editing the configuration directly (outside the web interface) does not have this safeguard.

  1. Open the Settings page of the Aperture dashboard.
  2. Find the grant with { "role": "admin" } and "src": ["*"].
  3. Replace "*" with the Tailscale login names of your administrators.

The following example grants admin access to two specific users:

{
  "grants": [
    {
      "src": ["alice@example.com", "bob@example.com"],
      "app": {
        "tailscale.com/cap/aperture": [
          { "role": "admin" }
        ]
      }
    },
    {
      "src": ["*"],
      "app": {
        "tailscale.com/cap/aperture": [
          { "role": "user" }
        ]
      }
    }
  ]
}

This configuration gives alice@example.com and bob@example.com admin access, while all other users get standard user access. Admin access takes precedence when a user matches both grants, so Alice and Bob receive admin-level permissions.

Use the tailnet policy file

For organizations that manage access through Tailscale, you can assign admin roles using groups in the tailnet policy file. This approach is recommended because it lets you use Tailscale groups and device postures.

{
  "grants": [
    {
      "src": ["group:aperture-admins"],
      "dst": ["tag:aperture"],
      "app": {
        "tailscale.com/cap/aperture": [
          { "role": "admin" }
        ]
      }
    },
    {
      "src": ["group:ai-users"],
      "dst": ["tag:aperture"],
      "app": {
        "tailscale.com/cap/aperture": [
          { "role": "user" }
        ]
      }
    }
  ]
}

Aperture merges grants from the tailnet policy file and the Aperture configuration additively. Roles escalate (from user to admin) but never downgrade. Refer to the grants configuration reference for the full syntax.

Verify admin access

After restricting admin access, verify the configuration is correct:

  1. Open the Settings page. If you can view and edit the configuration, your admin access is working.
  2. Sign in from a non-admin device or have a non-admin user confirm they cannot access the Settings page.

Next steps