{"slug":"access-control","title":"Access control","tags":["tailscale","access-control"],"agent_summary":"Last validated: May 29, 2025","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Access control\r\n\r\nLast validated: May 29, 2025\r\n\r\nTailscale's approach to access control embodies the principles of [least privilege](https://tailscale.com/learn/principle-of-least-privilege) and [zero trust security](https://tailscale.com/docs/concepts/zero-trust). By default, all connections between devices in your Tailscale network (known as a [tailnet](https://tailscale.com/docs/concepts/tailnet)) are denied unless explicitly permitted through your [tailnet policy file](https://tailscale.com/docs/features/tailnet-policy-file). This ensures that only authorized users and devices can communicate with each other, with precise controls over what specific resources they can access.\r\n\r\nThere are two primary methods for creating access control policies: [Grants](https://tailscale.com/docs/features/access-control/grants) and [access control lists (ACLs)](https://tailscale.com/docs/features/access-control/acls). Grants are the recommended method and offer more functionality. However, ACLs will always be supported. Refer to [Grants vs. ACLs](https://tailscale.com/docs/reference/grants-vs-acls).\r\n\r\nAccess control in Tailscale uses various [targets and selectors](https://tailscale.com/docs/reference/targets-and-selectors) to identify resources, which are also defined in the tailnet policy file. These include autogroups, custom groups, tags, IP addresses, and individual users, and let you create flexible policies that adapt to your organization's structure.\r\n\r\nExplore the following resources for more information:\r\n\r\n- [Tailnet policy file](https://tailscale.com/docs/features/tailnet-policy-file)\r\n- [Policy syntax](https://tailscale.com/docs/reference/syntax/policy-file)\r\n- [Targets and selectors](https://tailscale.com/docs/reference/targets-and-selectors)\r\n- [Grants vs. ACLs](https://tailscale.com/docs/reference/grants-vs-acls)\r\n\r\n## [Grants](https://tailscale.com/docs/features/access-control\\#grants)\r\n\r\nGrants represent Tailscale's modern approach to access control, providing a unified syntax for managing permissions across both network and application layers. Each grant defines which sources can access which destinations, along with the specific capabilities they're allowed to use at both the network and application levels.\r\n\r\nExplore the grants documentation:\r\n\r\n- [Grants overview](https://tailscale.com/docs/features/access-control/grants)\r\n- [Grant syntax reference](https://tailscale.com/docs/reference/syntax/grants)\r\n- [Application capabilities](https://tailscale.com/docs/features/access-control/grants/grants-app-capabilities)\r\n- [Troubleshooting grants](https://tailscale.com/docs/reference/troubleshooting/grants)\r\n- [Example grants](https://tailscale.com/docs/reference/examples/grants)\r\n\r\n## [Access control lists (ACLs)](https://tailscale.com/docs/features/access-control\\#access-control-lists-acls)\r\n\r\nTailscale recommends [migrating to grants](https://tailscale.com/docs/reference/migrate-acls-grants).\r\n\r\nAccess control lists ( [ACLs](https://tailscale.com/docs/features/access-control/acls)) represent Tailscale's original approach to network layer security. The recommended approach is to use grants. However, Tailscale will always support ACLs.\r\n\r\nExplore the ACLs documentation:\r\n\r\n- [ACLs overview](https://tailscale.com/docs/features/access-control/acls)\r\n- [ACL syntax reference](https://tailscale.com/docs/reference/syntax/policy-file)\r\n- [Example ACL policies](https://tailscale.com/docs/reference/examples/acls)\r\n\r\n## [Tailscale SSH](https://tailscale.com/docs/features/access-control\\#tailscale-ssh)\r\n\r\nTailscale SSH integrates with the access control system to provide secure SSH access between devices in your tailnet. Instead of managing SSH keys, Tailscale SSH leverages your tailnet's identity system to authenticate and authorize connections based on the rules defined in your tailnet policy file.\r\n\r\n[Explore Tailscale SSH](https://tailscale.com/docs/features/tailscale-ssh).\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Access control</h1>\n<p>Last validated: May 29, 2025</p>\n<p>Tailscale's approach to access control embodies the principles of <a href=\"https://tailscale.com/learn/principle-of-least-privilege\">least privilege</a> and <a href=\"https://tailscale.com/docs/concepts/zero-trust\">zero trust security</a>. By default, all connections between devices in your Tailscale network (known as a <a href=\"https://tailscale.com/docs/concepts/tailnet\">tailnet</a>) are denied unless explicitly permitted through your <a href=\"https://tailscale.com/docs/features/tailnet-policy-file\">tailnet policy file</a>. This ensures that only authorized users and devices can communicate with each other, with precise controls over what specific resources they can access.</p>\n<p>There are two primary methods for creating access control policies: <a href=\"https://tailscale.com/docs/features/access-control/grants\">Grants</a> and <a href=\"https://tailscale.com/docs/features/access-control/acls\">access control lists (ACLs)</a>. Grants are the recommended method and offer more functionality. However, ACLs will always be supported. Refer to <a href=\"https://tailscale.com/docs/reference/grants-vs-acls\">Grants vs. ACLs</a>.</p>\n<p>Access control in Tailscale uses various <a href=\"https://tailscale.com/docs/reference/targets-and-selectors\">targets and selectors</a> to identify resources, which are also defined in the tailnet policy file. These include autogroups, custom groups, tags, IP addresses, and individual users, and let you create flexible policies that adapt to your organization's structure.</p>\n<p>Explore the following resources for more information:</p>\n<ul>\n<li><a href=\"https://tailscale.com/docs/features/tailnet-policy-file\">Tailnet policy file</a></li>\n<li><a href=\"https://tailscale.com/docs/reference/syntax/policy-file\">Policy syntax</a></li>\n<li><a href=\"https://tailscale.com/docs/reference/targets-and-selectors\">Targets and selectors</a></li>\n<li><a href=\"https://tailscale.com/docs/reference/grants-vs-acls\">Grants vs. ACLs</a></li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/features/access-control#grants\">Grants</a></h2>\n<p>Grants represent Tailscale's modern approach to access control, providing a unified syntax for managing permissions across both network and application layers. Each grant defines which sources can access which destinations, along with the specific capabilities they're allowed to use at both the network and application levels.</p>\n<p>Explore the grants documentation:</p>\n<ul>\n<li><a href=\"https://tailscale.com/docs/features/access-control/grants\">Grants overview</a></li>\n<li><a href=\"https://tailscale.com/docs/reference/syntax/grants\">Grant syntax reference</a></li>\n<li><a href=\"https://tailscale.com/docs/features/access-control/grants/grants-app-capabilities\">Application capabilities</a></li>\n<li><a href=\"https://tailscale.com/docs/reference/troubleshooting/grants\">Troubleshooting grants</a></li>\n<li><a href=\"https://tailscale.com/docs/reference/examples/grants\">Example grants</a></li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/features/access-control#access-control-lists-acls\">Access control lists (ACLs)</a></h2>\n<p>Tailscale recommends <a href=\"https://tailscale.com/docs/reference/migrate-acls-grants\">migrating to grants</a>.</p>\n<p>Access control lists ( <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>) represent Tailscale's original approach to network layer security. The recommended approach is to use grants. However, Tailscale will always support ACLs.</p>\n<p>Explore the ACLs documentation:</p>\n<ul>\n<li><a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs overview</a></li>\n<li><a href=\"https://tailscale.com/docs/reference/syntax/policy-file\">ACL syntax reference</a></li>\n<li><a href=\"https://tailscale.com/docs/reference/examples/acls\">Example ACL policies</a></li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/features/access-control#tailscale-ssh\">Tailscale SSH</a></h2>\n<p>Tailscale SSH integrates with the access control system to provide secure SSH access between devices in your tailnet. Instead of managing SSH keys, Tailscale SSH leverages your tailnet's identity system to authenticate and authorize connections based on the rules defined in your tailnet policy file.</p>\n<p><a href=\"https://tailscale.com/docs/features/tailscale-ssh\">Explore Tailscale SSH</a>.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}