{"slug":"tailnet-policy-file","title":"Tailnet policy file","tags":["tailscale","access-control","file-sharing"],"agent_summary":"Last validated: May 21, 2025","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Tailnet policy file\r\n\r\nLast validated: May 21, 2025\r\n\r\nThe tailnet policy file is a centralized [human JSON (HuJSON)](https://github.com/tailscale/hujson) configuration file that stores parameters, policies, and settings for your Tailscale network (known as a tailnet). [Owners, Admins, and Network admins](https://tailscale.com/docs/reference/user-roles) can manage your tailnet policy file from the Tailscale admin console. You can also manage the tailnet policy file with [GitOps](https://tailscale.com/docs/gitops) using GitHub, GitLab, or Bitbucket.\r\n\r\nThe tailnet policy file is organized into multiple top-level [sections](https://tailscale.com/docs/features/tailnet-policy-file#sections), each offering different functionality. You can use the various sections of the tailnet policy file to:\r\n\r\n- Define named groupings of users, devices, and network segments with [tags](https://tailscale.com/docs/features/tags), [groups](https://tailscale.com/docs/reference/targets-and-selectors#groups), and [IP sets](https://tailscale.com/docs/features/tailnet-policy-file/ip-sets).\r\n- Define access control policies at the [network layer](https://tailscale.com/docs/concepts/tailscale-osi#network-layer) using [ACLs](https://tailscale.com/docs/features/access-control/acls).\r\n- Define access control policies at the [network layer](https://tailscale.com/docs/concepts/tailscale-osi#network-layer) and [application layer](https://tailscale.com/docs/concepts/tailscale-osi#application-layer) using [grants](https://tailscale.com/docs/features/access-control/grants).\r\n- Assign aliases to IP addresses and [subnets](https://tailscale.com/docs/features/subnet-routers) (using the `hosts` section).\r\n- Define [device posture](https://tailscale.com/docs/features/device-posture) rules.\r\n- Specify who can use [Tailscale SSH](https://tailscale.com/docs/features/tailscale-ssh).\r\n\r\n- Specify who can use which [tags](https://tailscale.com/docs/features/tags) to authenticate devices.\r\n- Specify who can bypass the approval process to advertise [subnet routers](https://tailscale.com/docs/features/subnet-routers) and [exit nodes](https://tailscale.com/docs/features/exit-nodes).\r\n- Apply additional attributes called [node attributes](https://tailscale.com/docs/reference/syntax/policy-file#node-attributes) to devices and users.\r\n- Write tests to make assertions about access policies ( [ACLs](https://tailscale.com/docs/features/access-control/acls) and [Tailscale SSH](https://tailscale.com/docs/features/tailscale-ssh)) that should not change.\r\n- Define tailnet-wide policy options (such as disabling IPv4).\r\n\r\nUsing the different sections of the tailnet policy file in unison lets you manage your tailnet in a modular and fine-grained manner. For example, you can define a custom group of users, then create an access control policy to specify how the users in that group can traverse the resources in your tailnet.\r\n\r\n## [Sections](https://tailscale.com/docs/features/tailnet-policy-file\\#sections)\r\n\r\nThe following table provides an overview of each top-level section of the tailnet policy file.\r\n\r\n| Section | Name | What it's for | Resources |\r\n| --- | --- | --- | --- |\r\n| `acls` | Access control lists (ACLs) | Create network-level access control policies. | [Syntax reference →](https://tailscale.com/docs/reference/syntax/policy-file#access-rules) |\r\n| `autoApprovers` | Auto approvers | Specify who can bypass the approval process to advertise [subnet routers](https://tailscale.com/docs/features/subnet-routers), and [exit nodes](https://tailscale.com/docs/features/exit-nodes), and [app connectors](https://tailscale.com/docs/features/app-connectors). | [Syntax reference →](https://tailscale.com/docs/reference/syntax/policy-file#auto-approvers) |\r\n| `grants` | Grants | Define network-level and application-level access control policies. | [Syntax reference →](https://tailscale.com/docs/reference/syntax/policy-file#grants) |\r\n| `groups` | Groups | Define named groups of users, devices, and subnets to target in access control policies and other definitions. | [Syntax reference →](https://tailscale.com/docs/reference/syntax/policy-file#groups) |\r\n| `hosts` | Hosts | Define named aliases for devices and subnets. | [Syntax reference →](https://tailscale.com/docs/reference/syntax/policy-file#hosts) |\r\n| `ipsets` | IP sets | Define [named network segments](https://tailscale.com/docs/features/tailnet-policy-file/ip-sets) to target in access control policies and other definitions. | [Syntax reference →](https://tailscale.com/docs/reference/syntax/policy-file#ip-sets) |\r\n| `nodeAttr` | Node attributes | Apply additional attributes to devices and users. | [Syntax reference →](https://tailscale.com/docs/reference/syntax/policy-file#node-attributes) |\r\n| `postures` | Device posture policies | Define [device posture](https://tailscale.com/docs/features/device-posture) rules to target in access control policies. | [Syntax reference →](https://tailscale.com/docs/reference/syntax/policy-file#postures) |\r\n| `ssh` | Tailscale SSH | Specify who can use [Tailscale SSH](https://tailscale.com/docs/features/tailscale-ssh). | [Syntax reference →](https://tailscale.com/docs/reference/syntax/policy-file#ssh) |\r\n| `sshTests` | Tailscale SSH tests | Write tests to make assertions about [Tailscale SSH](https://tailscale.com/docs/features/tailscale-ssh) that should not change. | [Syntax reference →](https://tailscale.com/docs/reference/syntax/policy-file#ssh-tests) |\r\n| `tagOwners` | Tag owners | Define who can assign which [tags](https://tailscale.com/docs/features/tags) to devices in your tailnet. | [Syntax reference →](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) |\r\n| `tests` | Access control tests | Write tests to make assertions about access policies ( [ACLs](https://tailscale.com/docs/features/access-control/acls) and network-level [grants](https://tailscale.com/docs/features/access-control/grants)) that should not change. | [Syntax reference →](https://tailscale.com/docs/reference/syntax/policy-file#tests) |\r\n\r\nThere's also additional sections for [network policy options](https://tailscale.com/docs/reference/syntax/policy-file#network-policy-options), such as disabling IPv4 and customizing the [DERP](https://tailscale.com/docs/reference/derp-servers) map. In most cases, these settings are unnecessary.\r\n\r\n| Section | What it's for | Resources |\r\n| --- | --- | --- |\r\n| `derpMap` | Customize the DERP servers that a tailnet uses. | [Syntax reference →](https://tailscale.com/docs/reference/syntax/policy-file#derpmap) |\r\n| `disableIPv4` | Disable using IPv4 in a tailnet. | [Syntax reference →](https://tailscale.com/docs/reference/syntax/policy-file#disableipv4) |\r\n| `OneCGNATRoute` | Modify the routes the Tailscale clients generate. | [Syntax reference →](https://tailscale.com/docs/reference/syntax/policy-file#onecgnatroute) |\r\n| `randomizeClientPort` | Control whether devices prefer a random port number or the default `41641` for WireGuard traffic. | [Syntax reference →](https://tailscale.com/docs/reference/syntax/policy-file#randomizeclientport) |\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Tailnet policy file</h1>\n<p>Last validated: May 21, 2025</p>\n<p>The tailnet policy file is a centralized <a href=\"https://github.com/tailscale/hujson\">human JSON (HuJSON)</a> configuration file that stores parameters, policies, and settings for your Tailscale network (known as a tailnet). <a href=\"https://tailscale.com/docs/reference/user-roles\">Owners, Admins, and Network admins</a> can manage your tailnet policy file from the Tailscale admin console. You can also manage the tailnet policy file with <a href=\"https://tailscale.com/docs/gitops\">GitOps</a> using GitHub, GitLab, or Bitbucket.</p>\n<p>The tailnet policy file is organized into multiple top-level <a href=\"https://tailscale.com/docs/features/tailnet-policy-file#sections\">sections</a>, each offering different functionality. You can use the various sections of the tailnet policy file to:</p>\n<ul>\n<li>\n<p>Define named groupings of users, devices, and network segments with <a href=\"https://tailscale.com/docs/features/tags\">tags</a>, <a href=\"https://tailscale.com/docs/reference/targets-and-selectors#groups\">groups</a>, and <a href=\"https://tailscale.com/docs/features/tailnet-policy-file/ip-sets\">IP sets</a>.</p>\n</li>\n<li>\n<p>Define access control policies at the <a href=\"https://tailscale.com/docs/concepts/tailscale-osi#network-layer\">network layer</a> using <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>.</p>\n</li>\n<li>\n<p>Define access control policies at the <a href=\"https://tailscale.com/docs/concepts/tailscale-osi#network-layer\">network layer</a> and <a href=\"https://tailscale.com/docs/concepts/tailscale-osi#application-layer\">application layer</a> using <a href=\"https://tailscale.com/docs/features/access-control/grants\">grants</a>.</p>\n</li>\n<li>\n<p>Assign aliases to IP addresses and <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnets</a> (using the <code>hosts</code> section).</p>\n</li>\n<li>\n<p>Define <a href=\"https://tailscale.com/docs/features/device-posture\">device posture</a> rules.</p>\n</li>\n<li>\n<p>Specify who can use <a href=\"https://tailscale.com/docs/features/tailscale-ssh\">Tailscale SSH</a>.</p>\n</li>\n<li>\n<p>Specify who can use which <a href=\"https://tailscale.com/docs/features/tags\">tags</a> to authenticate devices.</p>\n</li>\n<li>\n<p>Specify who can bypass the approval process to advertise <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet routers</a> and <a href=\"https://tailscale.com/docs/features/exit-nodes\">exit nodes</a>.</p>\n</li>\n<li>\n<p>Apply additional attributes called <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#node-attributes\">node attributes</a> to devices and users.</p>\n</li>\n<li>\n<p>Write tests to make assertions about access policies ( <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a> and <a href=\"https://tailscale.com/docs/features/tailscale-ssh\">Tailscale SSH</a>) that should not change.</p>\n</li>\n<li>\n<p>Define tailnet-wide policy options (such as disabling IPv4).</p>\n</li>\n</ul>\n<p>Using the different sections of the tailnet policy file in unison lets you manage your tailnet in a modular and fine-grained manner. For example, you can define a custom group of users, then create an access control policy to specify how the users in that group can traverse the resources in your tailnet.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tailnet-policy-file#sections\">Sections</a></h2>\n<p>The following table provides an overview of each top-level section of the tailnet policy file.</p>\n<p>| Section | Name | What it's for | Resources |\r\n| --- | --- | --- | --- |\r\n| <code>acls</code> | Access control lists (ACLs) | Create network-level access control policies. | <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#access-rules\">Syntax reference →</a> |\r\n| <code>autoApprovers</code> | Auto approvers | Specify who can bypass the approval process to advertise <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet routers</a>, and <a href=\"https://tailscale.com/docs/features/exit-nodes\">exit nodes</a>, and <a href=\"https://tailscale.com/docs/features/app-connectors\">app connectors</a>. | <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#auto-approvers\">Syntax reference →</a> |\r\n| <code>grants</code> | Grants | Define network-level and application-level access control policies. | <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#grants\">Syntax reference →</a> |\r\n| <code>groups</code> | Groups | Define named groups of users, devices, and subnets to target in access control policies and other definitions. | <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">Syntax reference →</a> |\r\n| <code>hosts</code> | Hosts | Define named aliases for devices and subnets. | <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#hosts\">Syntax reference →</a> |\r\n| <code>ipsets</code> | IP sets | Define <a href=\"https://tailscale.com/docs/features/tailnet-policy-file/ip-sets\">named network segments</a> to target in access control policies and other definitions. | <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#ip-sets\">Syntax reference →</a> |\r\n| <code>nodeAttr</code> | Node attributes | Apply additional attributes to devices and users. | <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#node-attributes\">Syntax reference →</a> |\r\n| <code>postures</code> | Device posture policies | Define <a href=\"https://tailscale.com/docs/features/device-posture\">device posture</a> rules to target in access control policies. | <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#postures\">Syntax reference →</a> |\r\n| <code>ssh</code> | Tailscale SSH | Specify who can use <a href=\"https://tailscale.com/docs/features/tailscale-ssh\">Tailscale SSH</a>. | <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#ssh\">Syntax reference →</a> |\r\n| <code>sshTests</code> | Tailscale SSH tests | Write tests to make assertions about <a href=\"https://tailscale.com/docs/features/tailscale-ssh\">Tailscale SSH</a> that should not change. | <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#ssh-tests\">Syntax reference →</a> |\r\n| <code>tagOwners</code> | Tag owners | Define who can assign which <a href=\"https://tailscale.com/docs/features/tags\">tags</a> to devices in your tailnet. | <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">Syntax reference →</a> |\r\n| <code>tests</code> | Access control tests | Write tests to make assertions about access policies ( <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a> and network-level <a href=\"https://tailscale.com/docs/features/access-control/grants\">grants</a>) that should not change. | <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tests\">Syntax reference →</a> |</p>\n<p>There's also additional sections for <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#network-policy-options\">network policy options</a>, such as disabling IPv4 and customizing the <a href=\"https://tailscale.com/docs/reference/derp-servers\">DERP</a> map. In most cases, these settings are unnecessary.</p>\n<p>| Section | What it's for | Resources |\r\n| --- | --- | --- |\r\n| <code>derpMap</code> | Customize the DERP servers that a tailnet uses. | <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#derpmap\">Syntax reference →</a> |\r\n| <code>disableIPv4</code> | Disable using IPv4 in a tailnet. | <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#disableipv4\">Syntax reference →</a> |\r\n| <code>OneCGNATRoute</code> | Modify the routes the Tailscale clients generate. | <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#onecgnatroute\">Syntax reference →</a> |\r\n| <code>randomizeClientPort</code> | Control whether devices prefer a random port number or the default <code>41641</code> for WireGuard traffic. | <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#randomizeclientport\">Syntax reference →</a> |</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}