Access control

Tailscale's approach to access control embodies the principles of least privilege and zero trust security. By default, all connections between devices in your Tailscale network (known as a tailnet) are denied unless explicitly permitted through your tailnet policy file. This ensures that only authorized users and devices can communicate with each other, with precise controls over what specific resources they can access.

There are two primary methods for creating access control policies: Grants and access control lists (ACLs). Grants are the recommended method and offer more functionality. However, ACLs will always be supported. Refer to Grants vs. ACLs.

Access control in Tailscale uses various targets and selectors to identify resources, which are also defined in the tailnet policy file. These include autogroups, custom groups, tags, IP addresses, and individual users, and let you create flexible policies that adapt to your organization's structure.

Explore the following resources to learn more:

• Tailnet policy file
• Policy syntax
• Targets and selectors
• Grants vs. ACLs

Grants

Grants represent Tailscale's modern approach to access control, providing a unified syntax for managing permissions across both network and application layers. Each grant defines which sources can access which destinations, along with the specific capabilities they're allowed to use at both the network and application levels.

Explore the grants documentation:

• Grants overview
• Grant syntax reference
• Application capabilities
• Troubleshooting grants
• Example grants

Access control lists (ACLs)

Access control lists (ACLs) represent Tailscale's original approach to network layer security. The recommended approach is to use grants. However, Tailscale will always support ACLs.

Explore the ACLs documentation:

• ACLs overview
• ACL syntax reference
• Example ACL policies

Tailscale SSH

Tailscale SSH integrates with the access control system to provide secure SSH access between devices in your tailnet. Instead of managing SSH keys, Tailscale SSH leverages your tailnet's identity system to authenticate and authorize connections based on the rules defined in your tailnet policy file.

Learn more about Tailscale SSH.