User roles are Identity & Access Management (IAM) roles used to restrict access to the admin console.
To understand and restrict which users and devices can communicate in your tailnet, see ACLs.
A user cannot modify their own role, except to transfer the Owner role to another user.
An Owner is the owner of the Tailscale account for your organization. This individual can access all information about your Tailscale account, including pricing plan and billing information.
An Owner can transfer their ownership to another user in the Users tab of the admin console. For an Owner’s account to be deleted, the Owner role must first be transferred to another user.
A Tailscale organization must have an Owner. There can only be one Owner.
If you haven’t modified this, the Owner is likely the first user who installed Tailscale. You can identify the Owner by their role on the Users tab of the admin console.
An Admin is an administrator of the Tailscale account for your organization. They can perform any action in the admin console, including inviting or removing users, modifying ACLs, approving machines, and enabling or disabling features. They cannot access or change the pricing plan or billing information, except where they initially set it up, see Pricing and Billing below.
There can be multiple Admins. Team accounts are limited to 2 Admin users.
A Network Admin is an administrator of the Tailscale account for your organization, who can only manage your network configuration. They can modify the tailnet policy file, and modify DNS, subnets, and other networking settings. They can view but not modify user and device information (even for their own devices), and general settings. They cannot access or change the pricing plan or billing information.
In a larger organization, use this role for the Networking team, to manage your network topology including DNS and subnets.
This role is only available for the Business plan and higher. Users with the Network Admin role count towards the number of Admin users for pricing.
An IT Admin is an administrator of the Tailscale account for your organization, who can only manage users and machines. They can perform actions to remove users, or approve and remove devices, and can modify general settings, like enabling certain features. They can view but not modify network information, such as the tailnet policy file and DNS configurations. They cannot access or change the pricing plan or billing information.
In a larger organization, use this role for the IT team, to onboard and offboard users and their devices.
This role is only available for the Business plan and higher. Users with the IT Admin role count towards the number of Admin users for pricing.
An Auditor is a member of the Tailscale account for your organization. They can read all configurations for your tailnet but not modify any of them.
In a larger organization, use this role for the compliance or audit team.
This role is only available for the Business plan and higher. Users with the Auditor role do not count towards the number of Admin users for pricing.
A Member is a user of your tailnet. They cannot access the admin console, but can connect to nodes in your tailnet as permitted by ACLs.
New users on a tailnet are Members by default.
There can be multiple Members. Personal accounts are limited to 1 Member user.
Only the Owner and Admins of a Tailscale account can select a pricing plan and set up billing.
Once billing is set up, the Owner and the user who set up billing (who may be the Owner or an Admin) can access and modify it.
|Permission||Owner||Admin||Network Admin||IT Admin||Auditor||Member|
|Can access the admin console||✅||✅||✅||✅||✅||❌|
|Read tailnet policy file||✅||✅||✅||✅||✅||❌|
|Write tailnet policy file||✅||✅||✅||❌||❌||❌|
|Read network configurations||✅||✅||✅||✅||✅||❌|
|Write network configurations, e.g., enable MagicDNS, split DNS, make subnet, or allow a node to be an exit node, enable HTTPS||✅||✅||✅||❌||❌||❌|
|Read feature configuration||✅||✅||✅||✅||✅||❌|
|Write feature configuration, e.g., enable Taildrop||✅||✅||❌||✅||❌||❌|
|Read machines, e.g., see machine names and status||✅||✅||✅||✅||✅||❌|
|Write machines, e.g., approve, rename, and remove machines||✅||✅||❌||✅||❌||❌|
|Read users and user roles||✅||✅||✅||✅||✅||❌|
|Write users and user roles, e.g, remove users, make Admin||✅||✅||❌||✅||❌||❌|
|Can generate authkeys||✅||✅||✅||✅||❌||❌|
|Can share a node||✅||✅||❌||✅||❌||❌|
|Can accept a shared node||✅||✅||❌||✅||❌||❌|
|Can use any tag (without being tag owner)||✅||✅||✅||❌||❌||❌|
|Read configuration audit logs||✅||✅||✅||✅||✅||❌|
|Use Tailscale SSH Console, if allowed by tailnet policy file||✅||✅||✅||✅||❌||❌|
|Write tailnet name||✅||✅||✅||❌||❌||❌|
|Write billing information, such as email (different than billing plan)||✅||✅||❌||❌||❌||❌|
Permissions for communicating within a network, and for running certain commands on devices, are set by the tailnet policy file: