Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Contact sales
Get started - it's free!
Login
© 2025

Edit access control policies in your tailnet policy file

You can edit access control policies in your tailnet policy file by using the Access Controls page of the admin console, GitOps for Tailscale, or the Tailscale API. Refer to tailnet policy syntax.

You must be an Owner, Admin, or Network admin to edit the tailnet policy file.

Preview changes

You can preview user permissions while editing the access control policies in the tailnet policy file.

  1. Go to the Access Controls page of the admin console.
  2. Open the Preview rules tab.
  3. Select a user to access a list of destinations (one per line) accessible to the specified user.

The list also shows the line number that defines that rule and any other users or groups that can access that destination (due to that rule).

You can also define access control policy tests to ensure changes don't accidentally remove access to an important system or unintentionally allow access to resources.

Debug access control policies

You can use the tailscale ping command to debug access control policies by testing the connections between devices. The tailscale ping supports TSMP pings and ICMP pings.

TSMP pings check whether two devices can establish a network connection but stop before the access control policy check. Use tailscale ping --tsmp to send a TSMP ping.

tailscale ping --tsmp

ICMP pings check the end-to-end connectivity between devices, including access control policies. Use tailscale ping --icmp or regular ping to send an ICMP ping.

tailscale ping

If TSMP ping succeeds, but ICMP ping fails, connections between devices are likely blocked by access control policies. If TSMP ping fails, devices cannot establish a network connection, even though access control policies might allow connections. If both TSMP and ICMP pings succeed, but connections still fail, check the port numbers in your access control policies and services you are trying to connect to.

In addition to manual testing, you can create built-in access control policy tests to ensure that specific connections are allowed and prevent access control policy changes from accidentally breaking these connections.

Revert changes

You can revert your tailnet policy file to a previous date and time from the Configuration logs page of the admin console. Refer to Reverting access control policies from audit logs for instructions.

You cannot revert the tailnet policy file if you are using GitOps for Tailscale.

Last updated May 7, 2025