{"slug":"grants","title":"Grants","tags":["tailscale","access-control"],"agent_summary":"Last validated: May 29, 2025","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Grants\r\n\r\nLast validated: May 29, 2025\r\n\r\nGrants are Tailscale's enhanced [access control](https://tailscale.com/docs/features/access-control) system that combines [network layer](https://tailscale.com/docs/features/access-control/grants#network-capabilities) and [application layer](https://tailscale.com/docs/features/access-control/grants#application-capabilities) permissions into a unified framework. Grants let you precisely define what resources each user or device can access and which actions they can perform after connecting. They follow Tailscale's deny-by-default approach, aligned with [zero trust](https://tailscale.com/docs/concepts/zero-trust) and [least privilege](https://tailscale.com/learn/principle-of-least-privilege) principles.\r\n\r\nGrants can do everything ACLs can, plus they facilitate application-level permissions and route filtering. Refer to [grants vs. ACLs](https://tailscale.com/docs/reference/grants-vs-acls).\r\n\r\nReady to get started? Check out the [get started guide](https://tailscale.com/docs/how-to/quickstart) or, if you've been using ACLs, the [migration guide](https://tailscale.com/docs/reference/migrate-acls-grants).\r\n\r\n## [Benefits and use cases](https://tailscale.com/docs/features/access-control/grants\\#benefits-and-use-cases)\r\n\r\nGrants offer significant advantages over traditional access control methods by unifying network and application permissions in a single system. This consolidated approach reduces complexity and provides a more consistent security model across your entire tailnet. With grants, you can:\r\n\r\n- Define the hosts a device can connect to and the permissions it holds with applications running on the hosts after it connects.\r\n- Implement fine-grained permissions based on [user roles](https://tailscale.com/docs/reference/user-roles), [device posture](https://tailscale.com/docs/features/device-posture), and other contextual factors.\r\n- Extend access control policies by using [routing awareness with `via`](https://tailscale.com/docs/features/access-control/grants/grants-via).\r\n\r\nExplore the collection of [example grants](https://tailscale.com/docs/reference/examples/grants) for common use cases.\r\n\r\n## [Implementation basics](https://tailscale.com/docs/features/access-control/grants\\#implementation-basics)\r\n\r\nGrants operate on a principle of explicitly defining which users or devices (sources) have access to which resources (destinations) along with what capabilities they have after connecting. Each grant consists of three core components:\r\n\r\n- Source: The users or devices requesting access.\r\n- Destination: The resources being accessed.\r\n- Capabilities: The permissions granted to the source when accessing the destination. These are grouped by [network capabilities](https://tailscale.com/docs/features/access-control/grants#network-capabilities) (the `ip` field) and [application capabilities](https://tailscale.com/docs/features/access-control/grants#application-capabilities) (the `app` field).\r\n\r\nWhen working with grants, you'll operate at two distinct layers: the network layer and the application layer. The network layer refers to IP addresses, ports, and protocols for connections between devices. The application layer refers to capabilities within applications themselves, such as which specific features or data sources a user can access. This dual-layer approach enables more comprehensive access control than network-only permissions.\r\n\r\nEach grant uses the [`grant` syntax](https://tailscale.com/docs/reference/syntax/grants) with a source (`src`), a destination (`dst`), and at least one type of permissions: network permissions (`ip`) or application permissions (`app`). You can extend this basic structure with additional options including [device posture](https://tailscale.com/docs/features/device-posture) checks (`srcPosture`) and routing specifications (`via`).\r\n\r\n## [Sources and destinations](https://tailscale.com/docs/features/access-control/grants\\#sources-and-destinations)\r\n\r\nSources (`src`) and destinations (`dst`) define who can access what in your tailnet. Both fields accept a wide range of selectors that identify users, devices, groups, or IP address ranges.\r\n\r\nYou can specify sources using selectors like:\r\n\r\n- Specific email addresses (`name@example.com`) for individual users.\r\n- [Groups](https://tailscale.com/docs/reference/targets-and-selectors#groups) (`group:engineering`) for user groups.\r\n- [Tags](https://tailscale.com/docs/features/tags) (`tag:database`) for device groups.\r\n- Roles (`autogroup:admin`) for administrative users.\r\n\r\nSimilarly, you can define destinations using the same types of [selectors](https://tailscale.com/docs/reference/targets-and-selectors), plus special selectors like `autogroup:internet` and `svc:web-server` (for [Tailscale Services](https://tailscale.com/docs/features/tailscale-services)).\r\n\r\nRefer to the [grants syntax reference](https://tailscale.com/docs/reference/syntax/grants) for more information.\r\n\r\n## [Network capabilities](https://tailscale.com/docs/features/access-control/grants\\#network-capabilities)\r\n\r\n[Network capabilities](https://tailscale.com/docs/features/access-control/grants#network-capabilities) control basic connectivity between devices in your tailnet. These permissions define whether devices can establish connections and what protocols and ports they can use.\r\n\r\nThe `ip` field in a grant specifies network layer capabilities, allowing you to define access at the protocol and port level. You can grant access to specific ports, port ranges, or entire protocols. For example, `\"ip\": [\"tcp:443\", \"udp:53\"]` grants access to TCP port `443` (HTTPS) and UDP port `53` (DNS) on the destination.\r\n\r\nRefer to the [grants syntax reference](https://tailscale.com/docs/reference/syntax/grants) for more information.\r\n\r\n## [Application capabilities](https://tailscale.com/docs/features/access-control/grants\\#application-capabilities)\r\n\r\n[Application layer capabilities](https://tailscale.com/docs/features/access-control/grants#application-capabilities) go beyond basic connectivity to define what actions you permit after a device establishes a connection. Applications running on the destination device can read these capabilities from requests made over the tailnet to authenticate and authorize the requester. These capabilities allow for fine-grained control over feature access within applications, similar to role-based access control systems.\r\n\r\nThe `app` field specifies application layer capabilities in the format `\"domainName/capabilityName\"`. For example, `\"tailscale.com/cap/tailsql\"` identifies capabilities for the [TailSQL](https://github.com/tailscale/tailsql) application. Each capability can include parameters that define specific permissions, such as which data sources the device can access or what operations to permit. This approach extends [zero trust principles](https://tailscale.com/docs/concepts/zero-trust) to the application layer, enforcing the principle of least privilege for connected applications.\r\n\r\nRefer to the [grants syntax reference](https://tailscale.com/docs/reference/syntax/grants) for more information.\r\n\r\n## [Limitations and considerations](https://tailscale.com/docs/features/access-control/grants\\#limitations-and-considerations)\r\n\r\nWhile grants provide powerful access control capabilities, there are some important considerations to keep in mind:\r\n\r\n- [Application layer capabilities](https://tailscale.com/docs/features/access-control/grants/grants-app-capabilities) are defined by the applications themselves, not by Tailscale. Each application is responsible for documenting its own capabilities and parameters, and for implementing the logic to react to application capabilities defined in grants\r\n- The Tailscale policy engine treats application capability parameters as opaque JSON objects. It only validates that the application capability object is valid JSON and does not do any validation on the parameter content itself.\r\n- [Device posture](https://tailscale.com/docs/features/device-posture) checks only apply to the source (`src`) of a grant, not to the destination (`dst`).\r\n- Grants and [legacy ACLs](https://tailscale.com/docs/features/access-control/acls) can coexist in the same tailnet policy file. The recommended best practice is to favor grants for most use cases.\r\n\r\nFor more information, refer to [grants limitations and considerations](https://tailscale.com/docs/features/access-control/grants/grants-app-capabilities).\r\n\r\n## [Next steps](https://tailscale.com/docs/features/access-control/grants\\#next-steps)\r\n\r\nNot sure what to do next? Consider the following possibilities:\r\n\r\n- Review your current access control model and identify opportunities to [migrate to more fine-grained permissions with grants](https://tailscale.com/docs/reference/migrate-acls-grants).\r\n- Experiment with [creating a grant](https://tailscale.com/docs/reference/syntax/grants).\r\n- Explore the collection of [example grants](https://tailscale.com/docs/reference/examples/grants).\r\n- Refer to the [tailnet policy file documentation](https://tailscale.com/docs/features/tailnet-policy-file) to understand integrating grants with other policy components.\r\n- Explore integrating grants with [device posture](https://tailscale.com/docs/features/device-posture) checking for context-aware access policies or adding routing awareness with [`via`](https://tailscale.com/docs/features/access-control/grants/grants-via).\r\n- Consider implementing [GitOps workflows](https://tailscale.com/docs/gitops) for managing your tailnet policy file.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Grants</h1>\n<p>Last validated: May 29, 2025</p>\n<p>Grants are Tailscale's enhanced <a href=\"https://tailscale.com/docs/features/access-control\">access control</a> system that combines <a href=\"https://tailscale.com/docs/features/access-control/grants#network-capabilities\">network layer</a> and <a href=\"https://tailscale.com/docs/features/access-control/grants#application-capabilities\">application layer</a> permissions into a unified framework. Grants let you precisely define what resources each user or device can access and which actions they can perform after connecting. They follow Tailscale's deny-by-default approach, aligned with <a href=\"https://tailscale.com/docs/concepts/zero-trust\">zero trust</a> and <a href=\"https://tailscale.com/learn/principle-of-least-privilege\">least privilege</a> principles.</p>\n<p>Grants can do everything ACLs can, plus they facilitate application-level permissions and route filtering. Refer to <a href=\"https://tailscale.com/docs/reference/grants-vs-acls\">grants vs. ACLs</a>.</p>\n<p>Ready to get started? Check out the <a href=\"https://tailscale.com/docs/how-to/quickstart\">get started guide</a> or, if you've been using ACLs, the <a href=\"https://tailscale.com/docs/reference/migrate-acls-grants\">migration guide</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/grants#benefits-and-use-cases\">Benefits and use cases</a></h2>\n<p>Grants offer significant advantages over traditional access control methods by unifying network and application permissions in a single system. This consolidated approach reduces complexity and provides a more consistent security model across your entire tailnet. With grants, you can:</p>\n<ul>\n<li>Define the hosts a device can connect to and the permissions it holds with applications running on the hosts after it connects.</li>\n<li>Implement fine-grained permissions based on <a href=\"https://tailscale.com/docs/reference/user-roles\">user roles</a>, <a href=\"https://tailscale.com/docs/features/device-posture\">device posture</a>, and other contextual factors.</li>\n<li>Extend access control policies by using <a href=\"https://tailscale.com/docs/features/access-control/grants/grants-via\">routing awareness with <code>via</code></a>.</li>\n</ul>\n<p>Explore the collection of <a href=\"https://tailscale.com/docs/reference/examples/grants\">example grants</a> for common use cases.</p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/grants#implementation-basics\">Implementation basics</a></h2>\n<p>Grants operate on a principle of explicitly defining which users or devices (sources) have access to which resources (destinations) along with what capabilities they have after connecting. Each grant consists of three core components:</p>\n<ul>\n<li>Source: The users or devices requesting access.</li>\n<li>Destination: The resources being accessed.</li>\n<li>Capabilities: The permissions granted to the source when accessing the destination. These are grouped by <a href=\"https://tailscale.com/docs/features/access-control/grants#network-capabilities\">network capabilities</a> (the <code>ip</code> field) and <a href=\"https://tailscale.com/docs/features/access-control/grants#application-capabilities\">application capabilities</a> (the <code>app</code> field).</li>\n</ul>\n<p>When working with grants, you'll operate at two distinct layers: the network layer and the application layer. The network layer refers to IP addresses, ports, and protocols for connections between devices. The application layer refers to capabilities within applications themselves, such as which specific features or data sources a user can access. This dual-layer approach enables more comprehensive access control than network-only permissions.</p>\n<p>Each grant uses the <a href=\"https://tailscale.com/docs/reference/syntax/grants\"><code>grant</code> syntax</a> with a source (<code>src</code>), a destination (<code>dst</code>), and at least one type of permissions: network permissions (<code>ip</code>) or application permissions (<code>app</code>). You can extend this basic structure with additional options including <a href=\"https://tailscale.com/docs/features/device-posture\">device posture</a> checks (<code>srcPosture</code>) and routing specifications (<code>via</code>).</p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/grants#sources-and-destinations\">Sources and destinations</a></h2>\n<p>Sources (<code>src</code>) and destinations (<code>dst</code>) define who can access what in your tailnet. Both fields accept a wide range of selectors that identify users, devices, groups, or IP address ranges.</p>\n<p>You can specify sources using selectors like:</p>\n<ul>\n<li>Specific email addresses (<code>name@example.com</code>) for individual users.</li>\n<li><a href=\"https://tailscale.com/docs/reference/targets-and-selectors#groups\">Groups</a> (<code>group:engineering</code>) for user groups.</li>\n<li><a href=\"https://tailscale.com/docs/features/tags\">Tags</a> (<code>tag:database</code>) for device groups.</li>\n<li>Roles (<code>autogroup:admin</code>) for administrative users.</li>\n</ul>\n<p>Similarly, you can define destinations using the same types of <a href=\"https://tailscale.com/docs/reference/targets-and-selectors\">selectors</a>, plus special selectors like <code>autogroup:internet</code> and <code>svc:web-server</code> (for <a href=\"https://tailscale.com/docs/features/tailscale-services\">Tailscale Services</a>).</p>\n<p>Refer to the <a href=\"https://tailscale.com/docs/reference/syntax/grants\">grants syntax reference</a> for more information.</p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/grants#network-capabilities\">Network capabilities</a></h2>\n<p><a href=\"https://tailscale.com/docs/features/access-control/grants#network-capabilities\">Network capabilities</a> control basic connectivity between devices in your tailnet. These permissions define whether devices can establish connections and what protocols and ports they can use.</p>\n<p>The <code>ip</code> field in a grant specifies network layer capabilities, allowing you to define access at the protocol and port level. You can grant access to specific ports, port ranges, or entire protocols. For example, <code>\"ip\": [\"tcp:443\", \"udp:53\"]</code> grants access to TCP port <code>443</code> (HTTPS) and UDP port <code>53</code> (DNS) on the destination.</p>\n<p>Refer to the <a href=\"https://tailscale.com/docs/reference/syntax/grants\">grants syntax reference</a> for more information.</p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/grants#application-capabilities\">Application capabilities</a></h2>\n<p><a href=\"https://tailscale.com/docs/features/access-control/grants#application-capabilities\">Application layer capabilities</a> go beyond basic connectivity to define what actions you permit after a device establishes a connection. Applications running on the destination device can read these capabilities from requests made over the tailnet to authenticate and authorize the requester. These capabilities allow for fine-grained control over feature access within applications, similar to role-based access control systems.</p>\n<p>The <code>app</code> field specifies application layer capabilities in the format <code>\"domainName/capabilityName\"</code>. For example, <code>\"tailscale.com/cap/tailsql\"</code> identifies capabilities for the <a href=\"https://github.com/tailscale/tailsql\">TailSQL</a> application. Each capability can include parameters that define specific permissions, such as which data sources the device can access or what operations to permit. This approach extends <a href=\"https://tailscale.com/docs/concepts/zero-trust\">zero trust principles</a> to the application layer, enforcing the principle of least privilege for connected applications.</p>\n<p>Refer to the <a href=\"https://tailscale.com/docs/reference/syntax/grants\">grants syntax reference</a> for more information.</p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/grants#limitations-and-considerations\">Limitations and considerations</a></h2>\n<p>While grants provide powerful access control capabilities, there are some important considerations to keep in mind:</p>\n<ul>\n<li><a href=\"https://tailscale.com/docs/features/access-control/grants/grants-app-capabilities\">Application layer capabilities</a> are defined by the applications themselves, not by Tailscale. Each application is responsible for documenting its own capabilities and parameters, and for implementing the logic to react to application capabilities defined in grants</li>\n<li>The Tailscale policy engine treats application capability parameters as opaque JSON objects. It only validates that the application capability object is valid JSON and does not do any validation on the parameter content itself.</li>\n<li><a href=\"https://tailscale.com/docs/features/device-posture\">Device posture</a> checks only apply to the source (<code>src</code>) of a grant, not to the destination (<code>dst</code>).</li>\n<li>Grants and <a href=\"https://tailscale.com/docs/features/access-control/acls\">legacy ACLs</a> can coexist in the same tailnet policy file. The recommended best practice is to favor grants for most use cases.</li>\n</ul>\n<p>For more information, refer to <a href=\"https://tailscale.com/docs/features/access-control/grants/grants-app-capabilities\">grants limitations and considerations</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/grants#next-steps\">Next steps</a></h2>\n<p>Not sure what to do next? Consider the following possibilities:</p>\n<ul>\n<li>Review your current access control model and identify opportunities to <a href=\"https://tailscale.com/docs/reference/migrate-acls-grants\">migrate to more fine-grained permissions with grants</a>.</li>\n<li>Experiment with <a href=\"https://tailscale.com/docs/reference/syntax/grants\">creating a grant</a>.</li>\n<li>Explore the collection of <a href=\"https://tailscale.com/docs/reference/examples/grants\">example grants</a>.</li>\n<li>Refer to the <a href=\"https://tailscale.com/docs/features/tailnet-policy-file\">tailnet policy file documentation</a> to understand integrating grants with other policy components.</li>\n<li>Explore integrating grants with <a href=\"https://tailscale.com/docs/features/device-posture\">device posture</a> checking for context-aware access policies or adding routing awareness with <a href=\"https://tailscale.com/docs/features/access-control/grants/grants-via\"><code>via</code></a>.</li>\n<li>Consider implementing <a href=\"https://tailscale.com/docs/gitops\">GitOps workflows</a> for managing your tailnet policy file.</li>\n</ul>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}