Targets and selectors
A target (or selector) is an identifier you use to identify users, devices, or subnets in the tailnet policy file. In most cases, you’ll use targets to select the source or destination of an access control policy. Targets can select one or many devices, users, or network segments. For example, tag:sql-server is a target you can use to select all devices tagged with sql-server, and 192.0.2.23 is a target that only selects the device using the IP address 192.0.2.23.
Use the page as a reference for the various types of targets, when you can use them, and their restrictions.
Types
There are three primary types of targets: autogroups, explicit selectors, and custom selectors.
Autogroups
An autogroup is a type of built-in target that automatically groups devices, users, or IP addresses based on specific criteria. They let you select dynamic sets of users, devices, or routes that might be challenging or even impossible to select by other means. For example, autogroup:member is an autogroup that includes all members of your tailnet.
| Autogroup | Description |
|---|---|
autogroup:danger-all | Includes all devices, even those outside your tailnet. Use this target with caution—it could expose your tailnet to security risks or unexpected behavior. |
autogroup:internet | Includes all public IP addresses. |
autogroup:self | Includes all devices owned by the same user. This is a special autogroup that you can use to allow devices owned by the same user to access one another. |
autogroup:shared | Includes all devices that belong to users who have accepted a sharing invitation to your tailnet. |
autogroup:tagged | Includes all devices that have at least one tag. |
autogroup:member | Includes all members of the tailnet. |
autogroup:owner | Includes all members in the tailnet with the Owner role. |
autogroup:admin | Includes all members in the tailnet with the Admin role. |
autogroup:it-admin | Includes all members in the tailnet with the IT admin role. |
autogroup:billing-admin | Includes all members in the tailnet with the Billing admin role. |
autogroup:admin-network | Includes all members in the tailnet with the Network admin role. |
autogroup:auditor | Includes all members in the tailnet with the Auditor role. |
Review the following tables to understand where and how you can use each autogroup.
autogroup:danger-all
autogroup:danger-all is a special (and dangerous) autogroup that includes all devices, even those outside your tailnet.
Tailscale does not recommend using this autogroup because it exposes your tailnet to unnecessary security risks. It’s only available for backward compatibility reasons.
Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.
| Location | Allowed |
|---|---|
SSH source (src) | No |
SSH destination (dst) | No |
Access control source (src)Includes grants and ACLs. | Yes |
Access control destination (dst)Includes grants and ACLs. | No |
Node attribute target (nodeAttr) | No |
Tag owner (tagOwner) | No |
Group (group) | No |
IP set (ipset) | No |
Auto approver (autoApprover) | No |
autogroup:internet
autogroup:internet is an autogroup that includes all public IP addresses.
Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.
| Location | Allowed |
|---|---|
SSH source (src) | No |
SSH destination (dst) | No |
Access control source (src)Includes grants and ACLs. | No |
Access control destination (dst)Includes grants and ACLs. | Yes |
Node attribute target (nodeAttr) | No |
Tag owner (tagOwner) | No |
Group (group) | No |
IP set (ipset) | Yes |
Auto approver (autoApprover) | No |
autogroup:self
autogroup:self is an autogroup that includes all devices owned by the same user. You can use this autogroup to allow devices owned by the same user to access one another.
Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.
| Location | Allowed |
|---|---|
SSH source (src) | No |
SSH destination (dst) | Restricted |
Access control source (src)Includes grants and ACLs. | No |
Access control destination (dst)Includes grants and ACLs. | Restricted |
Node attribute target (nodeAttr) | No |
Tag owner (tagOwner) | No |
Group (group) | No |
IP set (ipset) | No |
Auto approver (autoApprover) | No |
autogroup:shared
autogroup:shared is an autogroup that includes all devices that belong to users who have accepted a sharing invitation to your tailnet.
Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.
| Location | Allowed |
|---|---|
SSH source (src) | No |
SSH destination (dst) | No |
Access control source (src)Includes grants and ACLs. | Yes |
Access control destination (dst)Includes grants and ACLs. | No |
Node attribute target (nodeAttr) | No |
Tag owner (tagOwner) | No |
Group (group) | No |
IP set (ipset) | No |
Auto approver (autoApprover) | No |
autogroup:tagged
autogroup:tagged is an autogroup that includes all devices that have at least one tag.
Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.
| Location | Allowed |
|---|---|
SSH source (src) | Restricted |
SSH destination (dst) | Yes |
Access control source (src)Includes grants and ACLs. | Yes |
Access control destination (dst)Includes grants and ACLs. | Yes |
Node attribute target (nodeAttr) | Yes |
Tag owner (tagOwner) | Yes |
Group (group) | No |
IP set (ipset) | No |
Auto approver (autoApprover) | Yes |
autogroup:<role>
autogroup:<role> is an autogroup that includes all members in the tailnet with a specific role.
Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.
| Location | Allowed |
|---|---|
SSH source (src) | Restricted for autogroup:member |
SSH destination (dst) | No |
Access control source (src)Includes grants and ACLs. | Yes |
Access control destination (dst)Includes grants and ACLs. | Yes |
Node attribute target (nodeAttr) | Yes |
Tag owner (tagOwner) | Yes |
Group (group) | No |
IP set (ipset) | No |
Auto approver (autoApprover) | Yes |
Other built-in targets
The following table documents unusual autogroups and other built-in targets.
| Target | Description |
|---|---|
localpart:*@<domain> | Includes all members with email addresses in the specified <domain>. It's only valid as an SSH source. |
autogroup:nonroot | This is a special autogroup that applies to SSH users. You can only use it to specify that a user can log in as any user except root. It's not allowed in the source (src) or destination (dst) definitions. |
Explicit selector
An explicit selector is a target not created by a group, tag, or IP set.
| Target | Description | Example |
|---|---|---|
| IP address | Select a device by its IP address. | 192.0.2.2 |
| Host alias | Select a device by user-defined host alias. | host:sql-server-1 |
| IP address range | Select an explicit range of IP addresses. | 198.51.100.5-198.51.100.10 |
| CIDR | Select a range of IP addresses by the CIDR address. | 203.0.113.0/24 |
| User | Select a specific user by their email address, Passkey, or GitHub username. | user@company.com, user@passkey, username@github |
Review the following sections to understand where and how you can use explicit selectors.
IP address
You can use an IP address to select a specific device on your tailnet. For example, 192.0.2.2.
Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.
| Location | Allowed |
|---|---|
SSH source (src) | No |
SSH destination (dst) | No |
Access control source (src)Includes grants and ACLs. | Yes |
Access control destination (dst)Includes grants and ACLs. | Yes |
Node attribute target (nodeAttr) | Yes |
Tag owner (tagOwner) | No |
Group (group) | No |
IP set (ipset) | Yes |
Auto approver (autoApprover) | No |
Host alias
You can use a host alias to select a device by its user-defined alias. For example, host:sql-server-1.
Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.
| Location | Allowed |
|---|---|
SSH source (src) | No |
SSH destination (dst) | No |
Access control source (src)Includes grants and ACLs. | Yes |
Access control destination (dst)Includes grants and ACLs. | Yes |
Node attribute target (nodeAttr) | Yes |
Tag owner (tagOwner) | No |
Group (group) | No |
IP set (ipset) | Yes |
Auto approver (autoApprover) | No |
IP address range
You can use an IP address range to select a range of IP addresses. For example, 192.0.2.4-192.0.2.12.
Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.
| Location | Allowed |
|---|---|
SSH source (src) | No |
SSH destination (dst) | No |
Access control source (src)Includes grants and ACLs. | No |
Access control destination (dst)Includes grants and ACLs. | No |
Node attribute target (nodeAttr) | No |
Tag owner (tagOwner) | No |
Group (group) | No |
IP set (ipset) | Yes |
Auto approver (autoApprover) | No |
User
You can reference a specific a user by their email address, Passkey, or GitHub username (depending on how they authenticated their Tailscale account). For example, alice@example.com, alice@github or alice@passkey.
Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.
| Location | Allowed |
|---|---|
SSH source (src) | Yes |
SSH destination (dst) | No |
Access control source (src)Includes grants and ACLs. | Yes |
Access control destination (dst)Includes grants and ACLs. | Yes |
Node attribute target (nodeAttr) | No |
Tag owner (tagOwner) | Yes |
Group (group) | No |
IP set (ipset) | Yes |
Auto approver (autoApprover) | No |
Custom targets
A custom target is a selection of one or more users, devices, or IP addresses that you create using an explicit selector, group, tag, or IP set.
Groups
Groups are selections of users or devices. You can use groups to create custom collections of users or devices to target in policies. For example, you might have a prod group that includes all devices in your production environment. Review the following table to understand where and how you can use groups.
Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.
| Location | Allowed |
|---|---|
SSH source (src) | Restricted |
SSH destination (dst) | No |
Access control source (src) | Yes |
Access control destination (dst) | Yes |
Node attribute target (nodeAttr) | Yes |
Tag owner (tagOwner) | Yes |
Group (group) | No |
IP set (ipset) | No |
Auto approver (autoApprover) | Yes |
Tags
Tags are named annotations for non-user devices. You can use tags to create identities for non-user devices, such as those hosting a service or application. For example, you might have a sql tag that you apply to all devices running a SQL server.
Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.
| Location | Allowed |
|---|---|
SSH source (src) | Restricted |
SSH destination (dst) | Yes |
Access control source (src) | Yes |
Access control destination (dst) | Yes |
Node attribute target (nodeAttr) | Yes |
Tag owner (tagOwner) | Yes |
Group (group) | No |
IP set (ipset) | No |
Auto approver (autoApprover) | Yes |
IP sets
IP sets are collections of IP addresses. You can use IP sets to create custom selections of IP addresses.
Review the following table to understand where and how you can this selector. The Location column indicates the location in tailnet policy file and the Allowed column indicates whether you can use the target in that location.
| Location | Allowed |
|---|---|
SSH source (src) | No |
SSH destination (dst) | No |
Access control source (src) | Yes |
Access control destination (dst) | Yes |
Node attribute target (nodeAttr) | No |
Tag owner (tagOwner) | No |
Group (group) | No |
IP set (ipset) | Yes |
Auto approver (autoApprover) | No |
Restrictions
Some targets have specific restrictions for security purposes. Review the following restrictions to understand where and how you can use each target.
- User-authenticated devices can only SSH to other devices they own or devices authenticated with a tag.
- Devices with a tag-based identity can only SSH into other tagged devices; they cannot SSH into devices with a user-based identity.
- The
autogroup:selfselector only works as the source ifautogroup:memberis the destination.