User roles

User roles are Identity & Access Management (IAM) roles used to restrict access to the admin console.

User roles are available for all plans.
Some roles are available only for specific plans, which is noted in the role documentation.

To understand and restrict which users and devices can communicate in your tailnet, see ACLs.

Managing roles

You can add or remove users and change their roles in the Users tab of the admin console.

A user cannot modify their own role, except to transfer the Owner role to another user.

User role categories

To delineate which user roles are available by pricing plan, roles are categorized as Standard or Advanced.

Standard roles

Standard roles are available for all pricing plans. The following roles are in the Standard category:

Advanced roles

Advanced roles are available for the Premium and Enterprise pricing plans. The following roles are in the Advanced category:

Roles

Owner

An Owner is the owner of the Tailscale account for your organization. This individual can access all information about your Tailscale account, including pricing plan and billing information.

An Owner can transfer their ownership to another user in the Users tab of the admin console. For an Owner’s account to be deleted, the Owner role must first be transferred to another user.

A Tailscale organization must have an Owner. There can only be one Owner.

If you haven’t modified this, the Owner is likely the first user who installed Tailscale. You can identify the Owner by their role on the Users tab of the admin console.

If you don’t have access to the admin console to identify the Owner, or have lost access to the Owner account, contact us for help.

Admin

An Admin is an administrator of the Tailscale account for your organization. They can perform any action in the admin console, including inviting or removing users, modifying ACLs, approving machines, enabling or disabling features, and modifying pricing plan and billing information.

There can be multiple Admins.

Network admin

This role is available for the Personal, Premium, and Enterprise plans.

A Network admin is an administrator of the Tailscale account for your organization, who can only manage your network configuration. They can modify the tailnet policy file, and modify DNS, subnets, and other networking settings. They can view but not modify user and device information (even for their own devices), and general settings. They cannot access or change the pricing plan or billing information.

In a larger organization, use this role for the Networking team, to manage your network topology including DNS and subnets.

IT admin

This role is available for the Personal, Premium, and Enterprise plans.

An IT admin is an administrator of the Tailscale account for your organization, who can only manage users and machines. They can perform actions to remove users, or approve and remove devices, and can modify general settings, like enabling certain features. They can view but not modify network information, such as the tailnet policy file and DNS configurations. They cannot access or change the pricing plan or billing information.

In a larger organization, use this role for the IT team, to onboard and offboard users and their devices.

An IT admin can grant all roles, including roles that are more powerful than IT admin. This follows the principle of separation of duties, as two individuals must work together to elevate their access.

Billing admin

This role is available for the Personal, Premium, and Enterprise plans.

A Billing admin is an administrator of the Tailscale account for your organization, who can only modify pricing plan and billing information. They can view but not modify information in the admin console, such as user and device information, network information, or general settings.

A Billing admin does not automatically receive billing emails.

In a larger organization, use this role for the finance or accounting team.

Auditor

This role is available for the Personal, Premium, and Enterprise plans.

An Auditor is a member of the Tailscale account for your organization. They can read all configurations for your tailnet but not modify any of them.

In a larger organization, use this role for the compliance or audit team.

Member

A Member is a user of your tailnet. They cannot access the admin console, but can connect to nodes in your tailnet as permitted by ACLs.

New users on a tailnet are Members by default.

There can be multiple Members.

If you are sharing a node with another user, they are a Member for that node only, not the entire tailnet.

Permission matrix

Permissions managed by user roles

Permission Owner Admin Network admin IT admin Billing admin Auditor Member
Can access the admin console
Read tailnet policy file
Write tailnet policy file
Read network configurations
Write network configurations, for example, enable MagicDNS, split DNS, make subnet, or allow a node to be an exit node, enable HTTPS
Read feature configuration
Write feature configuration, for example, enable Taildrop
Configure user & group provisioning
Read machines, for example, see machine names and status
Write machines, for example, approve, rename, and remove machines
Read users and user roles
Write users and user roles, for example, remove users, approve users, make Admin
Can generate authkeys
Can generate API access tokens and OAuth clients
Can share a node
Can accept a shared node
Can use any tag (without being tag owner)
Read configuration audit logs
Use Tailscale SSH Console, if allowed by tailnet policy file
Write webhooks
Write tailnet name
Read payment plan
Write payment plan
Write billing information

Permissions managed by tailnet policy file

Permissions for communicating within a network, and for running certain commands on devices, are set by the tailnet policy file:

  • Access to a machine
  • Ability to set a tag (tag owner)
  • Ability to self-approve a route or exit node (auto approver)