Edit ACLs in your tailnet policy file
You can edit access control lists (ACLs) in your tailnet policy file by using the Access Controls page of the admin console, GitOps for Tailscale ACLs, or the Tailscale API. Refer to ACL syntax.
You must be an Owner, Admin, or Network admin to edit the tailnet policy file.
Preview changes
You can preview user permissions while editing the ACLs in the tailnet policy file.
- Go to the Access Controls page of the admin console.
- Open the Preview rules tab.
- Select a user to access a list of destinations (one per line) accessible to the specified user.
The list also shows the line number that defines that rule and any other users or groups that can access that destination (due to that rule).
You can also define ACL tests to ensure changes don't accidentally remove access to an important system or unintentionally allow access to resources.
Debug ACLs
You can use the tailscale ping
command to debug ACLs by testing the connections between devices. The tailscale ping
supports TSMP pings and ICMP pings.
TSMP pings check whether two devices can establish a network connection but stop before the ACL check. Use tailscale ping --tsmp
to send a TSMP ping.
tailscale ping --tsmp
ICMP pings check the end-to-end connectivity between devices, including ACLs. Use tailscale ping --icmp
or regular ping
to send an ICMP ping.
tailscale ping
If TSMP ping succeeds, but ICMP ping fails, connections between devices are likely blocked by ACLs. If TSMP ping fails, devices cannot establish a network connection, even though ACLs might allow connections. If both TSMP and ICMP pings succeed, but connections still fail, check the port numbers in your ACLs and services you are trying to connect to.
In addition to manual testing, you can create built-in ACL tests to ensure that specific connections are allowed and prevent ACL changes from accidentally breaking these connections.
Revert changes
You can revert your tailnet policy file to a previous date and time from the Configuration logs page of the admin console. Refer to Reverting ACLs from audit logs for instructions.
You cannot revert the tailnet policy file if you are using GitOps for Tailscale ACLs.