Get started
Login
© 2024

Targets and selectors

A target (or selector) is an identifier you use to identify users, devices, or subnets in the tailnet policy file. In most cases, you’ll use targets to select the source or destination of an access control policy. Targets can select one or many devices, users, or network segments. For example, tag:sql-server is a target you can use to select all devices tagged with sql-server, and 192.0.2.23 is a target that only selects the device using the IP address 192.0.2.23.

Use the page as a reference for the various types of targets, when you can use them, and their restrictions.

Types

There are three primary types of targets: autogroups, explicit selectors, and custom selectors.

Autogroups

An autogroup is a type of built-in target that automatically groups devices, users, or IP addresses based on specific criteria. They let you select dynamic sets of users, devices, or routes that might be challenging or even impossible to select by other means. For example, autogroup:member is an autogroup that includes all members of your tailnet.

AutogroupDescription
autogroup:danger-allIncludes all devices, even those outside your tailnet. Use this target with caution—it could expose your tailnet to security risks or unexpected behavior.
autogroup:internetIncludes all public IP addresses.
autogroup:selfIncludes all devices owned by the same user. This is a special autogroup that you can use to allow devices owned by the same user to access one another.
autogroup:sharedIncludes all devices that belong to users who have accepted a sharing invitation to your tailnet.
autogroup:taggedIncludes all devices that have at least one tag.
autogroup:memberIncludes all members of the tailnet.
autogroup:ownerIncludes all members in the tailnet with the Owner role.
autogroup:adminIncludes all members in the tailnet with the Admin role.
autogroup:it-adminIncludes all members in the tailnet with the IT admin role.
autogroup:billing-adminIncludes all members in the tailnet with the Billing admin role.
autogroup:network-adminIncludes all members in the tailnet with the Network admin role.
autogroup:auditorIncludes all members in the tailnet with the Auditor role.

Review the following tables to understand where and how you can use each autogroup.

autogroup:danger-all

autogroup:danger-all is a special (and dangerous) autogroup that includes all devices, even those outside your tailnet.

Tailscale does not recommend using this autogroup because it exposes your tailnet to unnecessary security risks. It’s only available for backward compatibility reasons.

Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.

LocationAllowed
SSH source (src)No
SSH destination (dst)No
Access control source (src)
Includes grants and ACLs.
Yes
Access control destination (dst)
Includes grants and ACLs.
No
Node attribute target (nodeAttr)No
Tag owner (tagOwner)No
Group (group)No
IP set (ipset)No
Auto approver (autoApprover)No

autogroup:internet

autogroup:internet is an autogroup that includes all public IP addresses.

Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.

LocationAllowed
SSH source (src)No
SSH destination (dst)No
Access control source (src)
Includes grants and ACLs.
No
Access control destination (dst)
Includes grants and ACLs.
Yes
Node attribute target (nodeAttr)No
Tag owner (tagOwner)No
Group (group)No
IP set (ipset)Yes
Auto approver (autoApprover)No

autogroup:self

autogroup:self is an autogroup that includes all devices owned by the same user. You can use this autogroup to allow devices owned by the same user to access one another.

Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.

LocationAllowed
SSH source (src)No
SSH destination (dst)Restricted
Access control source (src)
Includes grants and ACLs.
No
Access control destination (dst)
Includes grants and ACLs.
Restricted
Node attribute target (nodeAttr)No
Tag owner (tagOwner)No
Group (group)No
IP set (ipset)No
Auto approver (autoApprover)No

autogroup:shared

autogroup:shared is an autogroup that includes all devices that belong to users who have accepted a sharing invitation to your tailnet.

Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.

LocationAllowed
SSH source (src)No
SSH destination (dst)No
Access control source (src)
Includes grants and ACLs.
Yes
Access control destination (dst)
Includes grants and ACLs.
No
Node attribute target (nodeAttr)No
Tag owner (tagOwner)No
Group (group)No
IP set (ipset)No
Auto approver (autoApprover)No

autogroup:tagged

autogroup:tagged is an autogroup that includes all devices that have at least one tag.

Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.

LocationAllowed
SSH source (src)Restricted
SSH destination (dst)Yes
Access control source (src)
Includes grants and ACLs.
Yes
Access control destination (dst)
Includes grants and ACLs.
Yes
Node attribute target (nodeAttr)Yes
Tag owner (tagOwner)Yes
Group (group)No
IP set (ipset)No
Auto approver (autoApprover)Yes

autogroup:<role>

autogroup:<role> is an autogroup that includes all members in the tailnet with a specific role.

Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.

LocationAllowed
SSH source (src)Restricted for autogroup:member
SSH destination (dst)No
Access control source (src)
Includes grants and ACLs.
Yes
Access control destination (dst)
Includes grants and ACLs.
Yes
Node attribute target (nodeAttr)Yes
Tag owner (tagOwner)Yes
Group (group)No
IP set (ipset)No
Auto approver (autoApprover)Yes

Other built-in targets

The following table documents unusual autogroups and other built-in targets.

TargetDescription
localpart:*@<domain>Includes all members with email addresses in the specified <domain>. It's only valid as an SSH source.
autogroup:nonrootThis is a special autogroup that applies to SSH users. You can only use it to specify that a user can log in as any user except root. It's not allowed in the source (src) or destination (dst) definitions.

Explicit selector

An explicit selector is a target not created by a group, tag, or IP set.

TargetDescriptionExample
IP addressSelect a device by its IP address.192.0.2.2
Host aliasSelect a device by user-defined host alias.host:sql-server-1
IP address rangeSelect an explicit range of IP addresses.198.51.100.5-198.51.100.10
CIDRSelect a range of IP addresses by the CIDR address.203.0.113.0/24
UserSelect a specific user by their email address, Passkey, or GitHub username.user@company.com, user@passkey, username@github

Review the following sections to understand where and how you can use explicit selectors.

IP address

You can use an IP address to select a specific device on your tailnet. For example, 192.0.2.2.

Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.

LocationAllowed
SSH source (src)No
SSH destination (dst)No
Access control source (src)
Includes grants and ACLs.
Yes
Access control destination (dst)
Includes grants and ACLs.
Yes
Node attribute target (nodeAttr)Yes
Tag owner (tagOwner)No
Group (group)No
IP set (ipset)Yes
Auto approver (autoApprover)No

Host alias

You can use a host alias to select a device by its user-defined alias. For example, host:sql-server-1.

Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.

LocationAllowed
SSH source (src)No
SSH destination (dst)No
Access control source (src)
Includes grants and ACLs.
Yes
Access control destination (dst)
Includes grants and ACLs.
Yes
Node attribute target (nodeAttr)Yes
Tag owner (tagOwner)No
Group (group)No
IP set (ipset)Yes
Auto approver (autoApprover)No

IP address range

You can use an IP address range to select a range of IP addresses. For example, 192.0.2.4-192.0.2.12.

Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.

LocationAllowed
SSH source (src)No
SSH destination (dst)No
Access control source (src)
Includes grants and ACLs.
No
Access control destination (dst)
Includes grants and ACLs.
No
Node attribute target (nodeAttr)No
Tag owner (tagOwner)No
Group (group)No
IP set (ipset)Yes
Auto approver (autoApprover)No

User

You can reference a specific a user by their email address, Passkey, or GitHub username (depending on how they authenticated their Tailscale account). For example, alice@example.com, alice@github or alice@passkey.

Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.

LocationAllowed
SSH source (src)Yes
SSH destination (dst)No
Access control source (src)
Includes grants and ACLs.
Yes
Access control destination (dst)
Includes grants and ACLs.
Yes
Node attribute target (nodeAttr)No
Tag owner (tagOwner)Yes
Group (group)No
IP set (ipset)Yes
Auto approver (autoApprover)No

Custom targets

A custom target is a selection of one or more users, devices, or IP addresses that you create using an explicit selector, group, tag, or IP set.

Groups

Groups are selections of users or devices. You can use groups to create custom collections of users or devices to target in policies. For example, you might have a prod group that includes all devices in your production environment. Review the following table to understand where and how you can use groups.

Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.

LocationAllowed
SSH source (src)Restricted
SSH destination (dst)No
Access control source (src)Yes
Access control destination (dst)Yes
Node attribute target (nodeAttr)Yes
Tag owner (tagOwner)Yes
Group (group)No
IP set (ipset)No
Auto approver (autoApprover)Yes

Tags

Tags are named annotations for non-user devices. You can use tags to create identities for non-user devices, such as those hosting a service or application. For example, you might have a sql tag that you apply to all devices running a SQL server.

Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.

LocationAllowed
SSH source (src)Restricted
SSH destination (dst)Yes
Access control source (src)Yes
Access control destination (dst)Yes
Node attribute target (nodeAttr)Yes
Tag owner (tagOwner)Yes
Group (group)No
IP set (ipset)No
Auto approver (autoApprover)Yes

IP sets

IP sets are collections of IP addresses. You can use IP sets to create custom selections of IP addresses.

Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.

LocationAllowed
SSH source (src)No
SSH destination (dst)No
Access control source (src)Yes
Access control destination (dst)Yes
Node attribute target (nodeAttr)No
Tag owner (tagOwner)No
Group (group)No
IP set (ipset)Yes
Auto approver (autoApprover)No

Restrictions

Some targets have specific restrictions for security purposes. Review the following restrictions to understand where and how you can use each target.

  • User-authenticated devices can only SSH to other devices they own or devices authenticated with a tag.
  • Devices with a tag-based identity can only SSH into other tagged devices; they cannot SSH into devices with a user-based identity.
  • The autogroup:self selector only works as the source if autogroup:member is the destination.

Last updated Nov 28, 2024