{"slug":"set-up-admin-access","title":"Set up admin access","tags":["tailscale","access-control","admin"],"agent_summary":"Last validated: Apr 9, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Set up admin access\r\n\r\nLast validated: Apr 9, 2026\r\n\r\nAperture by Tailscaleis currently [in alpha](https://tailscale.com/docs/reference/tailscale-release-stages#alpha).\r\n\r\nNew Aperture instances grant admin access to everyone by default. Before your team starts using Aperture, restrict admin access to specific users so that only designated administrators can edit settings and view data for all users.\r\n\r\nAdmins can:\r\n\r\n- Edit the [Aperture configuration](https://tailscale.com/docs/aperture/configuration) from the **Settings** page of the Aperture dashboard.\r\n- View dashboards, session logs, and usage data for all users.\r\n- Access all quota buckets and refill them through the API.\r\n- Access the `/metrics` Prometheus endpoint (when `read_metrics` is granted).\r\n\r\nStandard users can only view their own dashboard and usage data.\r\n\r\n## [Prerequisites](https://tailscale.com/docs/aperture/how-to/set-up-admin-access\\#prerequisites)\r\n\r\nBefore you begin, ensure you have the following:\r\n\r\n- An [Aperture instance](https://tailscale.com/docs/aperture/get-started) with at least one configured provider.\r\n- Access to the Aperture dashboard or your tailnet policy file.\r\n- Your Tailscale login name (for example, `alice@example.com`).\r\n\r\n## [Restrict admin access](https://tailscale.com/docs/aperture/how-to/set-up-admin-access\\#restrict-admin-access)\r\n\r\nThe [default configuration](https://tailscale.com/docs/aperture/configuration#default-configuration) grants everyone the admin role using `\"src\": [\"*\"]`. Replace this with explicit admin grants for specific users.\r\n\r\nDo not remove the wildcard admin grant until you have added an explicit admin grant for yourself. Aperture prevents saves that would remove the saving user's admin access, but editing the configuration directly (outside the web interface) does not have this safeguard.\r\n\r\n1. Open the **Settings** page of the Aperture dashboard.\r\n2. Find the grant with `{ \"role\": \"admin\" }` and `\"src\": [\"*\"]`.\r\n3. Replace `\"*\"` with the Tailscale login names of your administrators.\r\n\r\nThe following example grants admin access to two specific users:\r\n\r\n```json\r\n{\r\n  \"grants\": [\\\r\n    {\\\r\n      \"src\": [\"alice@example.com\", \"bob@example.com\"],\\\r\n      \"app\": {\\\r\n        \"tailscale.com/cap/aperture\": [\\\r\n          { \"role\": \"admin\" }\\\r\n        ]\\\r\n      }\\\r\n    },\\\r\n    {\\\r\n      \"src\": [\"*\"],\\\r\n      \"app\": {\\\r\n        \"tailscale.com/cap/aperture\": [\\\r\n          { \"role\": \"user\" }\\\r\n        ]\\\r\n      }\\\r\n    }\\\r\n  ]\r\n}\r\n```\r\n\r\nThis configuration gives `alice@example.com` and `bob@example.com` admin access, while all other users get standard user access. Admin access takes precedence when a user matches both grants, so Alice and Bob receive admin-level permissions.\r\n\r\n### [Use the tailnet policy file](https://tailscale.com/docs/aperture/how-to/set-up-admin-access\\#use-the-tailnet-policy-file)\r\n\r\nFor organizations that manage access through Tailscale, you can assign admin roles using groups in the tailnet policy file. This approach is recommended because it lets you use Tailscale groups and device postures.\r\n\r\n```json\r\n{\r\n  \"grants\": [\\\r\n    {\\\r\n      \"src\": [\"group:aperture-admins\"],\\\r\n      \"dst\": [\"tag:aperture\"],\\\r\n      \"app\": {\\\r\n        \"tailscale.com/cap/aperture\": [\\\r\n          { \"role\": \"admin\" }\\\r\n        ]\\\r\n      }\\\r\n    },\\\r\n    {\\\r\n      \"src\": [\"group:ai-users\"],\\\r\n      \"dst\": [\"tag:aperture\"],\\\r\n      \"app\": {\\\r\n        \"tailscale.com/cap/aperture\": [\\\r\n          { \"role\": \"user\" }\\\r\n        ]\\\r\n      }\\\r\n    }\\\r\n  ]\r\n}\r\n```\r\n\r\nAperture merges grants from the tailnet policy file and the Aperture configuration additively. Roles escalate (from user to admin) but never downgrade. Refer to the [grants configuration reference](https://tailscale.com/docs/aperture/configuration#grants) for the full syntax.\r\n\r\n## [Verify admin access](https://tailscale.com/docs/aperture/how-to/set-up-admin-access\\#verify-admin-access)\r\n\r\nAfter restricting admin access, verify the configuration is correct:\r\n\r\n1. Open the **Settings** page. If you can view and edit the configuration, your admin access is working.\r\n2. Sign in from a non-admin device or have a non-admin user confirm they cannot access the **Settings** page.\r\n\r\n## [Next steps](https://tailscale.com/docs/aperture/how-to/set-up-admin-access\\#next-steps)\r\n\r\n- [Control model access](https://tailscale.com/docs/aperture/how-to/grant-model-access) to define which models each user or group can use.\r\n- [Set per-user spending limits](https://tailscale.com/docs/aperture/how-to/set-per-user-spending-limits) to manage costs.\r\n- Refer to the [Aperture dashboard reference](https://tailscale.com/docs/aperture/reference/dashboard) for details on each admin-accessible page.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Set up admin access</h1>\n<p>Last validated: Apr 9, 2026</p>\n<p>Aperture by Tailscaleis currently <a href=\"https://tailscale.com/docs/reference/tailscale-release-stages#alpha\">in alpha</a>.</p>\n<p>New Aperture instances grant admin access to everyone by default. Before your team starts using Aperture, restrict admin access to specific users so that only designated administrators can edit settings and view data for all users.</p>\n<p>Admins can:</p>\n<ul>\n<li>Edit the <a href=\"https://tailscale.com/docs/aperture/configuration\">Aperture configuration</a> from the <strong>Settings</strong> page of the Aperture dashboard.</li>\n<li>View dashboards, session logs, and usage data for all users.</li>\n<li>Access all quota buckets and refill them through the API.</li>\n<li>Access the <code>/metrics</code> Prometheus endpoint (when <code>read_metrics</code> is granted).</li>\n</ul>\n<p>Standard users can only view their own dashboard and usage data.</p>\n<h2><a href=\"https://tailscale.com/docs/aperture/how-to/set-up-admin-access#prerequisites\">Prerequisites</a></h2>\n<p>Before you begin, ensure you have the following:</p>\n<ul>\n<li>An <a href=\"https://tailscale.com/docs/aperture/get-started\">Aperture instance</a> with at least one configured provider.</li>\n<li>Access to the Aperture dashboard or your tailnet policy file.</li>\n<li>Your Tailscale login name (for example, <code>alice@example.com</code>).</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/aperture/how-to/set-up-admin-access#restrict-admin-access\">Restrict admin access</a></h2>\n<p>The <a href=\"https://tailscale.com/docs/aperture/configuration#default-configuration\">default configuration</a> grants everyone the admin role using <code>\"src\": [\"*\"]</code>. Replace this with explicit admin grants for specific users.</p>\n<p>Do not remove the wildcard admin grant until you have added an explicit admin grant for yourself. Aperture prevents saves that would remove the saving user's admin access, but editing the configuration directly (outside the web interface) does not have this safeguard.</p>\n<ol>\n<li>Open the <strong>Settings</strong> page of the Aperture dashboard.</li>\n<li>Find the grant with <code>{ \"role\": \"admin\" }</code> and <code>\"src\": [\"*\"]</code>.</li>\n<li>Replace <code>\"*\"</code> with the Tailscale login names of your administrators.</li>\n</ol>\n<p>The following example grants admin access to two specific users:</p>\n<pre><code class=\"language-json\">{\r\n  \"grants\": [\\\r\n    {\\\r\n      \"src\": [\"alice@example.com\", \"bob@example.com\"],\\\r\n      \"app\": {\\\r\n        \"tailscale.com/cap/aperture\": [\\\r\n          { \"role\": \"admin\" }\\\r\n        ]\\\r\n      }\\\r\n    },\\\r\n    {\\\r\n      \"src\": [\"*\"],\\\r\n      \"app\": {\\\r\n        \"tailscale.com/cap/aperture\": [\\\r\n          { \"role\": \"user\" }\\\r\n        ]\\\r\n      }\\\r\n    }\\\r\n  ]\r\n}\n</code></pre>\n<p>This configuration gives <code>alice@example.com</code> and <code>bob@example.com</code> admin access, while all other users get standard user access. Admin access takes precedence when a user matches both grants, so Alice and Bob receive admin-level permissions.</p>\n<h3><a href=\"https://tailscale.com/docs/aperture/how-to/set-up-admin-access#use-the-tailnet-policy-file\">Use the tailnet policy file</a></h3>\n<p>For organizations that manage access through Tailscale, you can assign admin roles using groups in the tailnet policy file. This approach is recommended because it lets you use Tailscale groups and device postures.</p>\n<pre><code class=\"language-json\">{\r\n  \"grants\": [\\\r\n    {\\\r\n      \"src\": [\"group:aperture-admins\"],\\\r\n      \"dst\": [\"tag:aperture\"],\\\r\n      \"app\": {\\\r\n        \"tailscale.com/cap/aperture\": [\\\r\n          { \"role\": \"admin\" }\\\r\n        ]\\\r\n      }\\\r\n    },\\\r\n    {\\\r\n      \"src\": [\"group:ai-users\"],\\\r\n      \"dst\": [\"tag:aperture\"],\\\r\n      \"app\": {\\\r\n        \"tailscale.com/cap/aperture\": [\\\r\n          { \"role\": \"user\" }\\\r\n        ]\\\r\n      }\\\r\n    }\\\r\n  ]\r\n}\n</code></pre>\n<p>Aperture merges grants from the tailnet policy file and the Aperture configuration additively. Roles escalate (from user to admin) but never downgrade. Refer to the <a href=\"https://tailscale.com/docs/aperture/configuration#grants\">grants configuration reference</a> for the full syntax.</p>\n<h2><a href=\"https://tailscale.com/docs/aperture/how-to/set-up-admin-access#verify-admin-access\">Verify admin access</a></h2>\n<p>After restricting admin access, verify the configuration is correct:</p>\n<ol>\n<li>Open the <strong>Settings</strong> page. If you can view and edit the configuration, your admin access is working.</li>\n<li>Sign in from a non-admin device or have a non-admin user confirm they cannot access the <strong>Settings</strong> page.</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/aperture/how-to/set-up-admin-access#next-steps\">Next steps</a></h2>\n<ul>\n<li><a href=\"https://tailscale.com/docs/aperture/how-to/grant-model-access\">Control model access</a> to define which models each user or group can use.</li>\n<li><a href=\"https://tailscale.com/docs/aperture/how-to/set-per-user-spending-limits\">Set per-user spending limits</a> to manage costs.</li>\n<li>Refer to the <a href=\"https://tailscale.com/docs/aperture/reference/dashboard\">Aperture dashboard reference</a> for details on each admin-accessible page.</li>\n</ul>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}