Access control
Tailscale’s access control methodology follows the least privilege and zero trust principles. There are two ways to define access controls for your tailnet: access control lists (ACLs) and grants. Both methods follow a deny-by-default approach and are defined in the tailnet policy file using a declarative huJSON syntax.
You can use both methods in the same tailnet policy file according to your preference. Behind the scenes, Tailscale combines any ACL rules or grants that are present in your tailnet policy file into a unified set of rules that apply to your tailnet.
Access control lists (ACLs)
ACLs represent the traditional network layer approach to managing access within your tailnet, where you define a set of devices or users who can access ports on other devices. Each ACL you create must define a source and a destination.
ACLs let you define network layer capabilities where the defined sources (devices or users) can access the specific destinations. For example, you can create an ACL policy to give a group of users access to port 8443
on a server.
Learn more about ACLs
Learn how to configure access control lists (ACLs) in Tailscale to manage device permissions and secure your network. This guide covers setting up ACLs for granular control over user and device access, enhancing your tailnet’s security and flexibility.
Grants
Grants are a new, more powerful approach to access control. They let you do everything you can with ACLs, plus more. When communicating with a destination device, you can grant application layer capabilities to a set of devices or users. You can also continue to define traditional network layer capabilities. For example, you can use a grant rule to give a group of users access to port 8443
on a server, and define the files they can edit on that server.
The grants system combines network layer and application layer capabilities into a shared syntax. As a result, it offers enhanced flexibility and fine-grained control over resource access. Each grant only requires a source and a destination. Because Tailscale takes a deny-by-default approach, each grant has an implied accept action.
Learn more about grants
Learn how to grant capabilities at the network and application layers.