User roles

User roles are Identity & Access Management (IAM) roles used to restrict access to the admin console.

To understand and restrict which users and devices can communicate in your tailnet, see ACLs.

Managing roles

You can add or remove users and change their roles in the Users tab of the admin console.

A user cannot modify their own role, except to transfer the Owner role to another user.

Roles

Owner

An Owner is the owner of the Tailscale account for your organization. This individual can access all information about your Tailscale account, including pricing plan and billing information.

An Owner can transfer their ownership to another user in the Users tab of the admin console. For an Owner’s account to be deleted, the Owner role must first be transferred to another user.

A Tailscale organization must have an Owner. There can only be one Owner.

If you haven’t modified this, the Owner is likely the first user who installed Tailscale. You can identify the Owner by their role on the Users tab of the admin console.

If you don’t have access to the admin console to identify the Owner, or have lost access to the Owner account, contact us for help.

Admin

An Admin is an administrator of the Tailscale account for your organization. They can perform any action in the admin console, including inviting or removing users, modifying ACLs, approving machines, and enabling or disabling features. They cannot access or change the pricing plan or billing information, except where they initially set it up, see Pricing and Billing below.

There can be multiple Admins. Team accounts are limited to 2 Admin users.

Network Admin

A Network Admin is an administrator of the Tailscale account for your organization, who can only manage your network configuration. They can modify the tailnet policy file, and modify DNS, subnets, and other networking settings. They can view but not modify user and device information (even for their own devices), and general settings. They cannot access or change the pricing plan or billing information.

In a larger organization, use this role for the Networking team, to manage your network topology including DNS and subnets.

This role is only available for the Business plan and higher. Users with the Network Admin role count towards the number of Admin users for pricing.

IT Admin

An IT Admin is an administrator of the Tailscale account for your organization, who can only manage users and machines. They can perform actions to remove users, or approve and remove devices, and can modify general settings, like enabling certain features. They can view but not modify network information, such as the tailnet policy file and DNS configurations. They cannot access or change the pricing plan or billing information.

In a larger organization, use this role for the IT team, to onboard and offboard users and their devices.

An IT Admin can grant all roles, including roles that are more powerful than IT Admin. This follows the principle of separation of duties, as two individuals must work together to elevate their access.

This role is only available for the Business plan and higher. Users with the IT Admin role count towards the number of Admin users for pricing.

Auditor

An Auditor is a member of the Tailscale account for your organization. They can read all configurations for your tailnet but not modify any of them.

In a larger organization, use this role for the compliance or audit team.

This role is only available for the Business plan and higher. Users with the Auditor role do not count towards the number of Admin users for pricing.

Member

A Member is a user of your tailnet. They cannot access the admin console, but can connect to nodes in your tailnet as permitted by ACLs.

New users on a tailnet are Members by default.

There can be multiple Members. Personal accounts are limited to 1 Member user.

If you are sharing a node with another user, they are a Member for that node only, not the entire tailnet.

Pricing and Billing

Only the Owner and Admins of a Tailscale account can select a pricing plan and set up billing.

Once billing is set up, the Owner and the user who set up billing (who may be the Owner or an Admin) can access and modify it.

Separate from the billing plan, the Owner and Admin can modify billing information, such as the billing email.

Permission matrix

Permissions managed by user roles

Permission Owner Admin Network Admin IT Admin Auditor Member
Can access the admin console
Read tailnet policy file
Write tailnet policy file
Read network configurations
Write network configurations, e.g., enable MagicDNS, split DNS, make subnet, or allow a node to be an exit node, enable HTTPS
Read feature configuration
Write feature configuration, e.g., enable Taildrop
Read machines, e.g., see machine names and status
Write machines, e.g., approve, rename, and remove machines
Read users and user roles
Write users and user roles, e.g, remove users, make Admin
Can generate authkeys
Can share a node
Can accept a shared node
Can use any tag (without being tag owner)
Read configuration audit logs
Use Tailscale SSH Console, if allowed by tailnet policy file
Write webhooks
Write tailnet name
Write billing information, such as email (different than billing plan)

Permissions managed by tailnet policy file

Permissions for communicating within a network, and for running certain commands on devices, are set by the tailnet policy file:

  • Access to a machine
  • Ability to set a tag (tag owner)
  • Ability to self-approve a route or exit node (auto approver)

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2022 Tailscale Inc.

Privacy & Terms