Get started
© 2024

Edit ACLs in your tailnet policy file

You can edit access control lists (ACLs) in your tailnet policy file by using the Access Controls page of the admin console, GitOps for Tailscale ACLs, or the Tailscale API. Refer to ACL syntax.

You must be an Owner, Admin, or Network admin to edit the tailnet policy file.

Preview changes

You can preview user permissions while editing the ACLs in the tailnet policy file.

  1. Go to the Access Controls page of the admin console.
  2. Open the Preview rules tab.
  3. Select a user to access a list of destinations (one per line) accessible to the specified user.

The list also shows the line number that defines that rule and any other users or groups that can access that destination (due to that rule).

You can also define ACL tests to ensure changes don't accidentally remove access to an important system or unintentionally allow access to resources.

Debug ACLs

You can use the tailscale ping command to debug ACLs by testing the connections between nodes. The tailscale ping supports TSMP pings and ICMP pings.

TSMP pings check whether two nodes can establish a network connection but stop before the ACL check. Use tailscale ping --tsmp to send a TSMP ping.

tailscale ping --tsmp

ICMP pings check the end-to-end connectivity between nodes, including ACLs. Use tailscale ping --icmp or regular ping to send an ICMP ping.

tailscale ping

If TSMP ping succeeds but ICMP ping fails, connections between nodes are likely blocked by ACLs. If TSMP ping fails, nodes cannot establish a network connection, even though ACLs might allow connections. If both TSMP and ICMP pings succeed but connections still fail, check the port numbers in your ACLs and services you are trying to connect to.

In addition to manual testing, you can create built-in ACL tests to ensure that specific connections are allowed and prevent ACL changes from accidentally breaking these connections.

Revert changes

You can revert your tailnet policy file to a previous date and time from the Configuration logs page of the admin console. Refer to Reverting ACLs from audit logs for instructions.

You cannot revert the tailnet policy file if you are using GitOps for Tailscale ACLs.