Get started
Login
© 2024

Inviting users vs sharing a device

Tailscale offers two ways to share access to devices and services:

Both options have pros and cons, and each works best for certain scenarios. Review the following sections to learn more about each option.

Inviting a user

You can share access to the devices and resources in your tailnet by inviting another user. An invited user can access any device or service in your tailnet by default. You can control what they can access using access controls. For example, you could invite a user and restrict their access to a few devices.

When inviting someone, you must choose their role. The role you choose determines what they can and cannot do within your tailnet. For example, you could make them a Member and allow them to access devices and services (as specified by access controls) but not the admin console.

Inviting a user is best when you're sharing more than few devices, especially if the user needs to have access to new devices as they get added to your tailnet. Inviting a user also lets you change what they have access to over time without having to share and revoke access to individual devices each time.

The following table lists the pros and cons of inviting a user (instead of sharing a device).

ProsCons
User can access the entire tailnet (limited by access controls).Increases the user count of your tailnet.
You can configure access control policies for the user.
You can select the user’s role.
User can access devices behind subnet routers.
User can use Tailscale features like (like Taildrop).
User can add devices to the tailnet.

Sharing a device

You can share a device with people outside your tailnet without exposing it to the public internet. After you share a device with another Tailscale user, the device appears in their tailnet like any other device, including on the Machines page in the admin console. Only the people you shared the device with will be able to see it, even if they are in the same tailnet.

Note that both your tailnet and theirs must have access controls that allow connections to the shared device. The default tailnet policy file allows this, but if either tailnet has a custom policy file, you must ensure it grants access to the shared device.

Sharing a device is best when you're sharing a fixed number of devices and the user doesn't need access to all Tailscale's functionaliy.

The following table lists the pros and cons of sharing a device (instead of inviting a user).

ProsCons
User can access one or a small fixed number of devices.Can’t access devices behind subnet routers.
User can access the device while connected to a different tailnet.Can’t use Tailscale features like (like Taildrop).
Doesn’t increase the user count of your tailnet.Can’t add new devices.
Can’t create access control policies for the user.