{"slug":"jit-access-with-conductorone","title":"JIT access with ConductorOne","tags":["tailscale","access-control"],"agent_summary":"Last validated: Jan 5, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# JIT access with ConductorOne\r\n\r\nLast validated: Jan 5, 2026\r\n\r\n[ConductorOne](https://www.conductorone.com/) is a security platform that lets you manage access requests for your Tailscale entitlements.\r\n\r\nOn-demand access to Tailscale resources can be provisioned using ConductorOne. This works by adding and removing members from [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [access rules](https://tailscale.com/docs/reference/syntax/policy-file#acls), and [SSH access rules](https://tailscale.com/docs/reference/syntax/policy-file#ssh) defined in Tailscale [access control policies](https://tailscale.com/docs/features/access-control).\r\n\r\nYou can use ConductorOne with [user & group provisioning](https://tailscale.com/docs/features/user-group-provisioning) to update [SCIM-integrated](https://tailscale.com/learn/what-is-scim) group membership in groups used in\r\nTailscale access control policies. Likewise, you can use ConductorOne to assign a user to the Tailscale application, with the user synced through SCIM to your Tailscale network.\r\n\r\nYou can connect multiple tailnets to ConductorOne simultaneously.\r\n\r\n## [Prerequisites](https://tailscale.com/docs/integrations/jit-conductorone\\#prerequisites)\r\n\r\nBefore you begin this guide, you'll need a tailnet and a ConductorOne account.\r\n\r\n- For information about creating a tailnet, refer to the [Tailscale quickstart](https://tailscale.com/docs/how-to/quickstart).\r\n\r\n- For information about creating a ConductorOne account, refer to [ConductorOne](https://www.conductorone.com/).\r\n\r\n\r\n## [Integration](https://tailscale.com/docs/integrations/jit-conductorone\\#integration)\r\n\r\nReview the full instructions in ConductorOne's [blog post](https://www.conductorone.com/blog/implementing-least-privilege-access-tailscale-conductorone) for setting up an integration with Tailscale.\r\n\r\nTo use ConductorOne with Tailscale, you'll need to:\r\n\r\n1. Generate a Tailscale [API access token](https://tailscale.com/docs/reference/tailscale-api) from the [Keys](https://login.tailscale.com/admin/settings/keys) page of the admin console.\r\n2. In ConductorOne, select the **Tailscale** integration and then select **Add Connector**.\r\n1. Choose the option to **Create a new app**.\r\n2. Set the **Tailscale API key** to the Tailscale API access token you generated.\r\n3. Set the **Tailnet** to your tailnet ID. You can find your tailnet ID in the [General](https://login.tailscale.com/admin/settings/general) page of the admin console.\r\n\r\nConductorOne will automatically identify all the users in the tailnet and parse existing [access rules](https://tailscale.com/docs/reference/syntax/policy-file#acls) in Tailscale\r\naccess control policies, including [SSH access rules](https://tailscale.com/docs/reference/syntax/policy-file#ssh), as entitlements in ConductorOne. The application owner in ConductorOne can specify for each\r\nentitlement, such as group membership or another SSH access rule, whether to restrict access by time, and whether to\r\nuse the default application grant policy.\r\n\r\nNow a user can request access to a specific Tailscale entitlement through the **Request access** page of ConductorOne and through Slack. ConductorOne will update the [tailnet policy file](https://tailscale.com/docs/features/tailnet-policy-file) to allow the temporary access.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>JIT access with ConductorOne</h1>\n<p>Last validated: Jan 5, 2026</p>\n<p><a href=\"https://www.conductorone.com/\">ConductorOne</a> is a security platform that lets you manage access requests for your Tailscale entitlements.</p>\n<p>On-demand access to Tailscale resources can be provisioned using ConductorOne. This works by adding and removing members from <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#acls\">access rules</a>, and <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#ssh\">SSH access rules</a> defined in Tailscale <a href=\"https://tailscale.com/docs/features/access-control\">access control policies</a>.</p>\n<p>You can use ConductorOne with <a href=\"https://tailscale.com/docs/features/user-group-provisioning\">user &#x26; group provisioning</a> to update <a href=\"https://tailscale.com/learn/what-is-scim\">SCIM-integrated</a> group membership in groups used in\r\nTailscale access control policies. Likewise, you can use ConductorOne to assign a user to the Tailscale application, with the user synced through SCIM to your Tailscale network.</p>\n<p>You can connect multiple tailnets to ConductorOne simultaneously.</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/jit-conductorone#prerequisites\">Prerequisites</a></h2>\n<p>Before you begin this guide, you'll need a tailnet and a ConductorOne account.</p>\n<ul>\n<li>\n<p>For information about creating a tailnet, refer to the <a href=\"https://tailscale.com/docs/how-to/quickstart\">Tailscale quickstart</a>.</p>\n</li>\n<li>\n<p>For information about creating a ConductorOne account, refer to <a href=\"https://www.conductorone.com/\">ConductorOne</a>.</p>\n</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/integrations/jit-conductorone#integration\">Integration</a></h2>\n<p>Review the full instructions in ConductorOne's <a href=\"https://www.conductorone.com/blog/implementing-least-privilege-access-tailscale-conductorone\">blog post</a> for setting up an integration with Tailscale.</p>\n<p>To use ConductorOne with Tailscale, you'll need to:</p>\n<ol>\n<li>Generate a Tailscale <a href=\"https://tailscale.com/docs/reference/tailscale-api\">API access token</a> from the <a href=\"https://login.tailscale.com/admin/settings/keys\">Keys</a> page of the admin console.</li>\n<li>In ConductorOne, select the <strong>Tailscale</strong> integration and then select <strong>Add Connector</strong>.</li>\n<li>Choose the option to <strong>Create a new app</strong>.</li>\n<li>Set the <strong>Tailscale API key</strong> to the Tailscale API access token you generated.</li>\n<li>Set the <strong>Tailnet</strong> to your tailnet ID. You can find your tailnet ID in the <a href=\"https://login.tailscale.com/admin/settings/general\">General</a> page of the admin console.</li>\n</ol>\n<p>ConductorOne will automatically identify all the users in the tailnet and parse existing <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#acls\">access rules</a> in Tailscale\r\naccess control policies, including <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#ssh\">SSH access rules</a>, as entitlements in ConductorOne. The application owner in ConductorOne can specify for each\r\nentitlement, such as group membership or another SSH access rule, whether to restrict access by time, and whether to\r\nuse the default application grant policy.</p>\n<p>Now a user can request access to a specific Tailscale entitlement through the <strong>Request access</strong> page of ConductorOne and through Slack. ConductorOne will update the <a href=\"https://tailscale.com/docs/features/tailnet-policy-file\">tailnet policy file</a> to allow the temporary access.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}