Docs / Admin

User roles

User roles are Identity & Access Management (IAM) roles used to restrict access to the admin console.

To understand and restrict which users and devices can communicate in your tailnet, see ACLs.

Managing roles

You can add or remove users and change their roles in the Users tab of the admin console.

Roles

Owner

An Owner is the owner of the Tailscale account for your organization. This individual can access all information about your Tailscale account, including pricing plan and billing information.

An Owner can transfer their ownership to another user in the Users tab of the admin console. For an Owner’s account to be deleted, the Owner role must first be transferred to another user.

A Tailscale organization must have an Owner. There can only be one Owner.

If you haven’t modified this, the Owner likely the first user who installed Tailscale. You can identify the Owner by their role on the Users tab of the admin console.

If you don’t have access to the admin console to identify the Owner, or have lost access to the Owner account, contact us for help.

Admin

An Admin is an administrator of the Tailscale account for your organization. They can perform any action in the admin console, including inviting or removing users, modifying ACLs, approving machines, and enabling or disabling features. They cannot access or change the pricing plan or billing information, except where they initially set it up, see Pricing and Billing below.

There can be multiple Admins. Team accounts are limited to 2 Admin users.

Network Admin

A Network Admin is an administrator of the Tailscale account for your organization, who can only manage your network configuration. They can modify the ACL policy file, and modify DNS, subnets, and other networking settings. They can view but not modify user and device information (even for their own devices), and general settings. They cannot access or change the pricing plan or billing information.

In a larger organization, use this role for the Networking team, to manage your network topology including DNS and subnets.

This role is only available for the Business plan or higher. Users with the Network Admin role count towards the number of Admin users for pricing.

IT Admin

An IT Admin is an administrator of the Tailscale account for your organization, who can only manage users and machines. They can perform actions to remove users, or approve and remove devices, and can modify general settings, like enabling certain features. They can view but not modify network information, such as the ACL policy file and DNS configurations. They cannot access or change the pricing plan or billing information.

In a larger organization, use this role for the IT team, to onboard and offboard users and their devices.

This role is only available for the Business plan or higher. Users with the IT Admin role count towards the number of Admin users for pricing.

Auditor

An Auditor is a member of the Tailscale account for your organization. They can read all configurations for your tailnet but not modify any of them.

In a larger organization, use this role for the compliance or audit team.

This role is only available for the Business plan or higher. Users with the Auditor role do not count towards the number of Admin users for pricing.

Member

A Member is a user of your tailnet. They cannot access the admin console, but can connect to nodes in your tailnet as permitted by ACLs.

New users on a tailnet are Members by default.

There can be multiple Members. Personal accounts are limited to 1 Member user.

If you are sharing a node with another user, they are a Member for that node only, not the entire tailnet.

Pricing and Billing

Only the Owner and Admins of a Tailscale account can select a pricing plan and set up billing.

Once billing is set up, the Owner and the user who set up billing (who may be the Owner or an Admin) can access and modify it.

Permission matrix

Permissions managed by user roles

Permission Owner Admin Network Admin IT Admin Auditor Member
Can access the admin console
Read ACL policy file
Write ACL policy file
Read network configurations
Write network configurations, e.g., enable MagicDNS, Split DNS, make subnet, or allow a node to be an exit node, enable HTTPS
Read feature configuration
Write feature configuration, e.g., enable Taildrop
Read machines, e.g., see machine names and status
Write machines, e.g., approve, rename, and remove machines
Read users and user roles
Write users and user roles, e.g, remove users, make Admin
Can generate authkeys
Can share a node
Can accept a shared node
Can use any tag (without being tag owner)

Permissions managed by ACL policy file

Permissions for communicating within a network, and for running certain commands on devices, are set by the ACL policy file:

  • Access to a machine
  • Ability to set a tag (tag owner)
  • Ability to self-approve a route (route owner)

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2021 Tailscale Inc.

Privacy & Terms