User roles
User roles are Identity & Access Management (IAM) roles used to restrict access to the admin console.
Some roles are available only for specific plans, which is noted in the role documentation.
To understand and restrict which users and devices can communicate in your tailnet, see ACLs.
Managing roles
You can add or remove users and change their roles in the Users tab of the admin console.
A user cannot modify their own role, except to transfer the Owner role to another user.
User role categories
To delineate which user roles are available by pricing plan, roles are categorized as Standard or Advanced.
Standard roles
Standard roles are available for all pricing plans. The following roles are in the Standard category:
Advanced roles
Advanced roles are available for the Premium and Enterprise pricing plans. The following roles are in the Advanced category:
Roles
Owner
An Owner is the owner of the Tailscale account for your organization. This individual can access all information about your Tailscale account, including pricing plan and billing information.
An Owner can transfer their ownership to another user in the Users page of the admin console, subject to limitations. For an Owner's account to be deleted, the Owner role must first be transferred to another user.
A Tailscale organization must have an Owner. There can only be one Owner.
If you haven't modified this, the Owner is likely the first user who installed Tailscale. You can identify the Owner by their role on the Users tab of the admin console.
If you don't have access to the admin console to identify the Owner, or have lost access to the Owner account, contact us for help.
Admin
An Admin is an administrator of the Tailscale account for your organization. They can perform any action in the admin console, including inviting or removing users, modifying ACLs, approving machines, enabling or disabling features, and modifying pricing plan and billing information.
There can be multiple Admins.
Network admin
A Network admin is an administrator of the Tailscale account for your organization, who can only manage your network configuration. They can modify the tailnet policy file, and modify DNS, subnets, and other networking settings. They can view but not modify user and device information (even for their own devices), and general settings. They cannot access or change the pricing plan or billing information.
In a larger organization, use this role for the Networking team, to manage your network topology including DNS and subnets.
IT admin
An IT admin is an administrator of the Tailscale account for your organization, who can only manage users and machines. They can perform actions to remove users, or approve and remove devices, and can modify general settings, like enabling certain features. They can view but not modify network information, such as the tailnet policy file and DNS configurations. They cannot accept subnet router routes. They cannot access or change the pricing plan or billing information.
In a larger organization, use this role for the IT team, to onboard and offboard users and their devices.
An IT admin can grant all roles, including roles that are more powerful than IT admin. This follows the principle of separation of duties, as two individuals must work together to elevate their access.
Billing admin
A Billing admin is an administrator of the Tailscale account for your organization, who can only modify pricing plan and billing information. They can view but not modify information in the admin console, such as user and device information, network information, or general settings.
A Billing admin does not automatically receive billing emails.
In a larger organization, use this role for the finance or accounting team.
Auditor
An Auditor is a member of the Tailscale account for your organization. They can read all configurations for your tailnet but not modify any of them.
In a larger organization, use this role for the compliance or audit team.
Member
A Member is a user of your tailnet. They cannot access the admin console, but can connect to nodes in your tailnet as permitted by ACLs.
New users in a tailnet are Members by default.
There can be multiple Members.
If you are sharing a node with another user, they are a Member for that node only, not the entire tailnet.
Permission matrix
Permissions managed by user roles
| Permission | Owner | Admin | Network admin | IT admin | Billing admin | Auditor | Member |
|---|---|---|---|---|---|---|---|
| Can access the admin console | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Read tailnet policy file | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Write tailnet policy file | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Read network configurations | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Write network configurations, for example, enable MagicDNS, split DNS, make subnet, or allow a node to be an exit node, enable HTTPS | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Read feature configuration | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Write feature configuration, for example, enable Taildrop | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ |
| Configure user & group provisioning | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ |
| Read machines, for example, see machine names and status | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Write machines, for example, approve, rename, and remove machines | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ |
| Read users and user roles | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Write users and user roles, for example, remove users, approve users, make Admin | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ |
| Can generate authkeys | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Can generate API access tokens and OAuth clients | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Can share a node | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ |
| Can accept a shared node | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ |
| Can use any tag (without being tag owner) | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Read configuration audit logs | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Use Tailscale SSH Console, if allowed by tailnet policy file | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Write webhooks | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Write tailnet name | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Read payment plan | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| Write payment plan | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| Write billing information | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
Permissions managed by tailnet policy file
Permissions for communicating within a network, and for running certain commands on devices, are set by the tailnet policy file:
- Access to a machine
- Ability to set a tag (tag owner)
- Ability to self-approve a route or exit node (auto approver)