{"slug":"edit-access-control-policies-in-your-tailnet-policy-file","title":"Edit access control policies in your tailnet policy file","tags":["tailscale","access-control","file-sharing"],"agent_summary":"Last validated: Mar 13, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Edit access control policies in your tailnet policy file\r\n\r\nLast validated: Mar 13, 2026\r\n\r\nYou can edit [access control policies](https://tailscale.com/docs/features/access-control/acls) in your [tailnet policy file](https://tailscale.com/docs/reference/glossary#tailnet-policy-file) by using the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console, [GitOps for Tailscale](https://tailscale.com/docs/gitops), or the [Tailscale API](https://tailscale.com/docs/reference/tailscale-api). Refer to [tailnet policy syntax](https://tailscale.com/docs/reference/syntax/policy-file).\r\n\r\nYou must be an [Owner, Admin, or Network admin](https://tailscale.com/docs/reference/user-roles) to edit the tailnet policy file.\r\n\r\n## [Convert ACLs to grants](https://tailscale.com/docs/features/tailnet-policy-file/manage-tailnet-policies\\#convert-acls-to-grants)\r\n\r\nThe JSON editor includes a **Convert to grants** button that automatically converts the entire `acls` section in your tailnet policy file to equivalent [grants](https://tailscale.com/docs/features/access-control/grants). The button is always visible but is disabled when there is no `acls` section present. Refer to [Migrate from ACLs to grants](https://tailscale.com/docs/reference/migrate-acls-grants) for more information.\r\n\r\n## [Preview changes](https://tailscale.com/docs/features/tailnet-policy-file/manage-tailnet-policies\\#preview-changes)\r\n\r\nYou can preview user permissions while editing the access control policies in the tailnet policy file.\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Open the **Preview rules** tab.\r\n3. Select a user to access a list of destinations (one per line) accessible to the specified user.\r\n\r\nThe list also shows the line number that defines that rule and any other users or groups that can access that destination (due to that rule).\r\n\r\nYou can also define [access control policy tests](https://tailscale.com/docs/reference/syntax/policy-file#tests) to ensure changes don't accidentally remove access to an important system or unintentionally allow access to resources.\r\n\r\n## [Debug access control policies](https://tailscale.com/docs/features/tailnet-policy-file/manage-tailnet-policies\\#debug-access-control-policies)\r\n\r\nYou can use the [`tailscale ping` command](https://tailscale.com/docs/reference/tailscale-cli#ping) to debug access control policies by testing the connections between devices. The `tailscale ping` supports TSMP pings and ICMP pings.\r\n\r\nTSMP pings check whether two devices can establish a network connection but stop before the access control policy check. Use `tailscale ping --tsmp` to send a TSMP ping.\r\n\r\n```shell\r\ntailscale ping --tsmp\r\n```\r\n\r\nICMP pings check the end-to-end connectivity between devices, including access control policies. Use `tailscale ping --icmp` or regular `ping` to send an ICMP ping.\r\n\r\n```shell\r\ntailscale ping\r\n```\r\n\r\nIf TSMP ping succeeds, but ICMP ping fails, connections between devices are likely blocked by access control policies. If TSMP ping fails, devices cannot establish a network connection, even though access control policies might allow connections. If both TSMP and ICMP pings succeed, but connections still fail, check the port numbers in your access control policies and services you are trying to connect to.\r\n\r\nIn addition to manual testing, you can create built-in access control policy [tests](https://tailscale.com/docs/reference/syntax/policy-file#tests) to ensure that specific connections are allowed and prevent access control policy changes from accidentally breaking these connections.\r\n\r\n## [Revert changes](https://tailscale.com/docs/features/tailnet-policy-file/manage-tailnet-policies\\#revert-changes)\r\n\r\nYou can revert your [tailnet policy file](https://tailscale.com/docs/reference/glossary#tailnet-policy-file) to a previous date and time from the [Configuration logs](https://login.tailscale.com/admin/logs) page of the admin console. Refer to [Reverting access control policies from audit logs](https://tailscale.com/docs/features/logging/audit-logging#reverting-acls-from-audit-logs) for instructions.\r\n\r\nYou cannot revert the tailnet policy file if you are using [GitOps for Tailscale](https://tailscale.com/docs/gitops).\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Edit access control policies in your tailnet policy file</h1>\n<p>Last validated: Mar 13, 2026</p>\n<p>You can edit <a href=\"https://tailscale.com/docs/features/access-control/acls\">access control policies</a> in your <a href=\"https://tailscale.com/docs/reference/glossary#tailnet-policy-file\">tailnet policy file</a> by using the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console, <a href=\"https://tailscale.com/docs/gitops\">GitOps for Tailscale</a>, or the <a href=\"https://tailscale.com/docs/reference/tailscale-api\">Tailscale API</a>. Refer to <a href=\"https://tailscale.com/docs/reference/syntax/policy-file\">tailnet policy syntax</a>.</p>\n<p>You must be an <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, or Network admin</a> to edit the tailnet policy file.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tailnet-policy-file/manage-tailnet-policies#convert-acls-to-grants\">Convert ACLs to grants</a></h2>\n<p>The JSON editor includes a <strong>Convert to grants</strong> button that automatically converts the entire <code>acls</code> section in your tailnet policy file to equivalent <a href=\"https://tailscale.com/docs/features/access-control/grants\">grants</a>. The button is always visible but is disabled when there is no <code>acls</code> section present. Refer to <a href=\"https://tailscale.com/docs/reference/migrate-acls-grants\">Migrate from ACLs to grants</a> for more information.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tailnet-policy-file/manage-tailnet-policies#preview-changes\">Preview changes</a></h2>\n<p>You can preview user permissions while editing the access control policies in the tailnet policy file.</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Open the <strong>Preview rules</strong> tab.</li>\n<li>Select a user to access a list of destinations (one per line) accessible to the specified user.</li>\n</ol>\n<p>The list also shows the line number that defines that rule and any other users or groups that can access that destination (due to that rule).</p>\n<p>You can also define <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tests\">access control policy tests</a> to ensure changes don't accidentally remove access to an important system or unintentionally allow access to resources.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tailnet-policy-file/manage-tailnet-policies#debug-access-control-policies\">Debug access control policies</a></h2>\n<p>You can use the <a href=\"https://tailscale.com/docs/reference/tailscale-cli#ping\"><code>tailscale ping</code> command</a> to debug access control policies by testing the connections between devices. The <code>tailscale ping</code> supports TSMP pings and ICMP pings.</p>\n<p>TSMP pings check whether two devices can establish a network connection but stop before the access control policy check. Use <code>tailscale ping --tsmp</code> to send a TSMP ping.</p>\n<pre><code class=\"language-shell\">tailscale ping --tsmp\n</code></pre>\n<p>ICMP pings check the end-to-end connectivity between devices, including access control policies. Use <code>tailscale ping --icmp</code> or regular <code>ping</code> to send an ICMP ping.</p>\n<pre><code class=\"language-shell\">tailscale ping\n</code></pre>\n<p>If TSMP ping succeeds, but ICMP ping fails, connections between devices are likely blocked by access control policies. If TSMP ping fails, devices cannot establish a network connection, even though access control policies might allow connections. If both TSMP and ICMP pings succeed, but connections still fail, check the port numbers in your access control policies and services you are trying to connect to.</p>\n<p>In addition to manual testing, you can create built-in access control policy <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tests\">tests</a> to ensure that specific connections are allowed and prevent access control policy changes from accidentally breaking these connections.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tailnet-policy-file/manage-tailnet-policies#revert-changes\">Revert changes</a></h2>\n<p>You can revert your <a href=\"https://tailscale.com/docs/reference/glossary#tailnet-policy-file\">tailnet policy file</a> to a previous date and time from the <a href=\"https://login.tailscale.com/admin/logs\">Configuration logs</a> page of the admin console. Refer to <a href=\"https://tailscale.com/docs/features/logging/audit-logging#reverting-acls-from-audit-logs\">Reverting access control policies from audit logs</a> for instructions.</p>\n<p>You cannot revert the tailnet policy file if you are using <a href=\"https://tailscale.com/docs/gitops\">GitOps for Tailscale</a>.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}