Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Get started
Login
© 2024

Access control

Tailscale’s access control methodology follows the least privilege and zero trust principles. There are two ways to define access controls for your tailnet: access control lists (ACLs) and grants. Both methods follow a deny-by-default approach and are defined in the tailnet policy file using a declarative huJSON syntax.

You can use both methods in the same tailnet policy file according to your preference. Behind the scenes, Tailscale combines any ACL rules or grants that are present in your tailnet policy file into a unified set of rules that apply to your tailnet.

Access control lists (ACLs)

ACLs represent the traditional network layer approach to managing access within your tailnet, where you define a set of devices or users who can access ports on other devices. Each ACL you create must define a source and a destination.

ACLs let you define network layer capabilities where the defined sources (devices or users) can access the specific destinations. For example, you can create an ACL policy to give a group of users access to port 8443 on a server.


Learn more about ACLs

Learn how to use ACLs to define access policies on your Tailscale network.

Grants

Grants are a new, more powerful approach to access control. They let you do everything you can with ACLs, plus more. When communicating with a destination device, you can grant application layer capabilities to a set of devices or users. You can also continue to define traditional network layer capabilities. For example, you can use a grant rule to give a group of users access to port 8443 on a server, and define the files they can edit on that server.

The grants system combines network layer and application layer capabilities into a shared syntax. As a result, it offers enhanced flexibility and fine-grained control over resource access. Each grant only requires a source and a destination. Because Tailscale takes a deny-by-default approach, each grant has an implied accept action.


Learn more about grants

Learn how to grant capabilities at the network and application layers.