{"slug":"troubleshooting-grants","title":"Troubleshooting grants","tags":["tailscale"],"agent_summary":"Last validated: Jan 12, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Troubleshooting grants\r\n\r\nLast validated: Jan 12, 2026\r\n\r\n[Grants](https://tailscale.com/docs/features/access-control/grants) are Tailscale's unified approach to defining access controls for both [network and application layers](https://tailscale.com/docs/features/access-control/grants/grants-app-capabilities) in your Tailscale network (known as a [tailnet](https://tailscale.com/docs/concepts/tailnet)). This guide walks you through diagnosing and solving common grant-related problems, progressing from basic verification techniques to resolving complex authorization scenarios.\r\n\r\n## [Diagnosing grant issues](https://tailscale.com/docs/reference/troubleshooting/grants\\#diagnosing-grant-issues)\r\n\r\nThis section covers the tools and methods available for inspecting your grant policies, verifying policy compilation, and examining how the Tailscale policy engine applies permissions to specific devices or users. Using these diagnostic techniques will help you identify the root cause of most grant-related problems.\r\n\r\nKeep in mind that Tailscale validates the syntax of the [tailnet policy file](https://tailscale.com/docs/features/tailnet-policy-file), including the grants section, when you save it. You won't be able to save it if it has a syntax error. This is true for our admin console editor, [GitOps](https://tailscale.com/docs/gitops), [Terraform](https://tailscale.com/docs/integrations/terraform-provider), and our API. You also won't be able to save the tailnet policy file if it refers to a target (such as a group) that is not defined.\r\n\r\n### [Verify your grants configuration](https://tailscale.com/docs/reference/troubleshooting/grants\\#verify-your-grants-configuration)\r\n\r\nThe first step in troubleshooting is to verify that your grants are correctly defined in your [tailnet policy file](https://tailscale.com/docs/features/tailnet-policy-file). You can use the [**Preview rules**](https://tailscale.com/docs/features/tailnet-policy-file/manage-tailnet-policies) tab from the [Access controls](https://tailscale.com/docs/features/access-control) page of the admin console to check how the rules apply to specific users or tags. This can help you ensure the policy configuration will work as you intend it to.\r\n\r\n### [Inspect capabilities with `whois`](https://tailscale.com/docs/reference/troubleshooting/grants\\#inspect-capabilities-with-whois)\r\n\r\nFor diagnosing issues with [application layer capabilities](https://tailscale.com/docs/features/access-control/grants/grants-app-capabilities) granted to specific devices or users, the [`tailscale whois`](https://tailscale.com/docs/reference/tailscale-cli#whois) command is invaluable. This command provides detailed information about a node, including all capabilities granted to it through your tailnet policy.\r\n\r\nTo inspect the capabilities of a user or device, use its [Tailscale IP address](https://tailscale.com/docs/concepts/tailscale-ip-addresses):\r\n\r\n```shell\r\ntailscale whois 100.100.123.123\r\n```\r\n\r\nThe output includes:\r\n\r\n- Basic device or user information.\r\n- Network addresses associated with the device.\r\n- A list of all capabilities granted to the device.\r\n\r\nPay special attention to the Capabilities section of the output, which details all application capabilities granted to the device. Each capability listing includes its full name and parameters, letting you verify that it is applying the correct permissions.\r\n\r\n## [Resolve common issues](https://tailscale.com/docs/reference/troubleshooting/grants\\#resolve-common-issues)\r\n\r\nMany grant-related issues stem from basic configuration problems or misunderstandings about [how grants work](https://tailscale.com/docs/reference/syntax/grants). This section addresses some common issues you might encounter when working with grants.\r\n\r\n### [Selector matching issues](https://tailscale.com/docs/reference/troubleshooting/grants\\#selector-matching-issues)\r\n\r\n[Selectors](https://tailscale.com/docs/reference/targets-and-selectors) might fail to match the intended targets. This happens when the selectors in your grants don't correctly identify the devices or users you're trying to permit.\r\n\r\nCommon selector matching problems include:\r\n\r\n- Misspelling email addresses or domain names.\r\n- Using [tag](https://tailscale.com/docs/features/tags) that have been created but not applied to any devices.\r\n- Using group names that have been created but not populated with users.\r\n- Forgetting to prefix group names with `group:` or tag names with `tag:`. This type of syntax error will be caught automatically unless there's also a host with the same name as the group or tag.\r\n\r\nTo troubleshoot selector matching issues:\r\n\r\n1. Confirm that tags referenced in your grants have been applied to the appropriate devices.\r\n2. Check for typos in email addresses, especially if you're granting access to specific users.\r\n3. Use [`tailscale status`](https://tailscale.com/docs/reference/tailscale-cli#status) to verify the tags applied to your devices.\r\n\r\nYou must run this command on each device you're checking.\r\n\r\nIf you're using [autogroups](https://tailscale.com/docs/reference/targets-and-selectors#autogroups) (such as `autogroup:member`), make sure you understand the devices within each autogroup. For example, `autogroup:member` includes all users who are members of your tailnet, but not devices shared from other tailnets.\r\n\r\n## [Less common and complex issues](https://tailscale.com/docs/reference/troubleshooting/grants\\#less-common-and-complex-issues)\r\n\r\nBeyond basic configuration problems, you might encounter more complex issues with grants, especially when implementing sophisticated [access control policies](https://tailscale.com/docs/features/access-control) (such as posture checks, route filtering, or custom [application capabilities](https://tailscale.com/docs/features/access-control/grants/grants-app-capabilities)). These issues often require a deeper understanding of how the Tailscale policy engine processes and applies grants.\r\n\r\n### [Problems with `via` field routing](https://tailscale.com/docs/reference/troubleshooting/grants\\#problems-with-via-field-routing)\r\n\r\nThe [`via` field in grants](https://tailscale.com/docs/features/access-control/grants/grants-via) lets you segment resource access through different routers based on specific criteria. However, misconfiguration can lead to routing failures or unexpected traffic paths.\r\n\r\nCommon `via` routing issues include:\r\n\r\n- Specifying a `via` target that isn't reachable from the source.\r\n- Using a `via` target with subnet routers that don't have the appropriate [subnet routes](https://tailscale.com/docs/features/subnet-routers) advertised.\r\n- Using a `via` target with [app connectors](https://tailscale.com/docs/features/app-connectors) that have not been appropriately configured.\r\n- Using a `via` target with exit nodes that have not been approved.\r\n- Missing `via` field when intending to route traffic to subnet routes, app connectors, or [exit nodes](https://tailscale.com/docs/features/exit-nodes).\r\n\r\nTo troubleshoot `via` routing issues:\r\n\r\n1. Verify that the device specified in the `via` field exists and is online using [`tailscale status`](https://tailscale.com/docs/reference/tailscale-cli#status).\r\n2. Confirm that the `via` device has the appropriate configuration.\r\n3. For [subnet routers](https://tailscale.com/docs/features/subnet-routers), check that subnet routes are advertised using `tailscale status --routes`.\r\n4. For [app connectors](https://tailscale.com/docs/features/app-connectors), check that the app connector is properly configured.\r\n5. For [exit nodes](https://tailscale.com/docs/features/exit-nodes), check that the exit node has been approved in the admin console.\r\n6. Check that the `via` device is reachable from the source device using [`tailscale ping`](https://tailscale.com/docs/reference/tailscale-cli#ping).\r\n7. Verify that the destination is reachable through the `via` device by examining logs on the `via` device.\r\n\r\nExample of a correct `via` configuration:\r\n\r\n```json\r\n\"grants\": [\\\r\n  {\\\r\n    \"src\": [\"group:eng\"],\\\r\n    \"dst\": [\"192.0.2.0/24\"],\\\r\n    \"ip\":  [\"*\"],\\\r\n    \"via\": [\"tag:subnet-router\"]\\\r\n  }\\\r\n]\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\nIn this example, make sure that a device with the `tag:subnet-router` tag exists, is online, and has the `192.0.2.0/24` subnet route advertised.\r\n\r\n### [Device posture verification failures](https://tailscale.com/docs/reference/troubleshooting/grants\\#device-posture-verification-failures)\r\n\r\nThe `srcPosture` field lets you restrict access based on [device posture](https://tailscale.com/docs/features/device-posture) conditions.\r\n\r\nCommon device posture issues include:\r\n\r\n- Devices running outdated [Tailscale versions](https://tailscale.com/docs/reference/tailscale-client-versions) that don't support posture checking.\r\n- Posture conditions that are too restrictive or impossible to meet.\r\n- Misconfigured posture conditions with syntax errors.\r\n- Devices missing required attributes for posture checking.\r\n\r\nTo troubleshoot device posture issues:\r\n\r\n1. Verify that all devices are running an up-to-date version of the Tailscale client. Versions prior to 1.52.0 don't support posture checking.\r\n2. Review the posture conditions in your tailnet policy file for correctness.\r\n3. Use [`tailscale status --self`](https://tailscale.com/docs/reference/tailscale-cli#status) to get the device attributes that are checked for posture verification.\r\n4. Test with more permissive posture conditions first, then gradually tighten restrictions.\r\n\r\nExample of device posture verification:\r\n\r\n```json\r\n\"postures\": {\r\n  \"posture:latest\": [\\\r\n    \"node:tsVersion >= '1.42.0'\",\\\r\n    \"node:os == 'linux'\"\\\r\n  ]\r\n},\r\n\"grants\": [\\\r\n  {\\\r\n    \"src\": [\"group:eng\"],\\\r\n    \"dst\": [\"tag:prod\"],\\\r\n    \"ip\":  [\"*\"]\\\r\n    \"srcPosture\": [\"posture:latest\"]\\\r\n  }\\\r\n]\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\nIf devices are failing posture checks, temporarily remove the `srcPosture` field to verify that the grant works without posture conditions, then add them back one by one to identify the problematic condition.\r\n\r\n### [Application capability integration issues](https://tailscale.com/docs/reference/troubleshooting/grants\\#application-capability-integration-issues)\r\n\r\nIntegrating [application capabilities](https://tailscale.com/docs/features/access-control/grants/grants-app-capabilities) with grants can introduce issues when applications don't correctly interpret the capabilities provided by the [Tailscale client](https://tailscale.com/docs/install).\r\n\r\nCommon application capability issues include:\r\n\r\n- Applications not querying the local Tailscale client for capabilities.\r\n- Incorrect capability names or parameter structures.\r\n- Applications misinterpreting the capabilities returned by the Tailscale client.\r\n\r\nTo troubleshoot application capability issues:\r\n\r\n1. Verify that your application is correctly querying the Tailscale client for capabilities using the [LocalAPI](https://pkg.go.dev/tailscale.com/ipn/localapi). This is only required if the application doesn't use the [`tsnet` library](https://tailscale.com/docs/features/tsnet).\r\n2. Check that the capability name matches exactly what your application expects.\r\n3. Confirm that the parameters in your grant match the schema expected by your application.\r\n4. Test with simplified capability parameters first, then add complexity.\r\n\r\nExample of a correct application capability grant:\r\n\r\n```json\r\n\"grants\": [\\\r\n  {\\\r\n    \"src\": [\"group:eng\"],\\\r\n    \"dst\": [\"tag:tailsql\"],\\\r\n    \"ip\":  [\"tcp:443\"],\\\r\n    \"app\": {\\\r\n      \"tailscale.com/cap/tailsql\": [\\\r\n        {\\\r\n          \"dataSrc\": [\"prod\", \"staging\"]\\\r\n        }\\\r\n      ]\\\r\n    }\\\r\n  }\\\r\n]\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\nIn this example, make sure that the application running on devices with the `tag:tailsql` tag is correctly checking for the `tailscale.com/cap/tailsql` capability and properly interpreting the `dataSrc` parameter.\r\n\r\n## [Prevention strategies](https://tailscale.com/docs/reference/troubleshooting/grants\\#prevention-strategies)\r\n\r\nThis section outlines best practices for designing, implementing, and maintaining grants in your tailnet policy. By following these recommendations, you can minimize issues and streamline troubleshooting when problems do arise.\r\n\r\n### [Design principles for effective grants](https://tailscale.com/docs/reference/troubleshooting/grants\\#design-principles-for-effective-grants)\r\n\r\n- [**Least privilege**](https://tailscale.com/learn/principle-of-least-privilege): Grant only the minimum permissions needed for each source-destination pair. Be specific about ports and protocols in the `ip` field when appropriate.\r\n- [**Logical grouping**](https://tailscale.com/docs/reference/troubleshooting/grants#design-principles-for-effective-grants): Organize related grants together and use comments to explain their purpose. This makes the policy file more readable and easier to maintain.\r\n- [**Standardized naming**](https://tailscale.com/docs/reference/troubleshooting/grants#design-principles-for-effective-grants): Use consistent naming conventions for groups, tags, and IP sets referenced in your grants. This reduces the risk of typos and makes troubleshooting easier.\r\n- [**Progressive refinement**](https://tailscale.com/docs/reference/troubleshooting/grants#design-principles-for-effective-grants): Start with broad grants and refine them over time as you better understand your access control requirements. This approach is less likely to cause unexpected denials.\r\n- [**Documentation**](https://tailscale.com/docs/reference/troubleshooting/grants#design-principles-for-effective-grants): Document your grants with comments in the policy file, explaining why each grant exists and what it's intended to permit.\r\n\r\nFollowing these principles will result in a more maintainable policy file that's less prone to issues and easier to troubleshoot when problems occur.\r\n\r\n### [Testing strategies](https://tailscale.com/docs/reference/troubleshooting/grants\\#testing-strategies)\r\n\r\nConsider using testing strategies before deploying changes to your grants:\r\n\r\n- [Document test cases](https://tailscale.com/docs/reference/troubleshooting/grants#testing-strategies): Create a set of [tests](https://tailscale.com/docs/reference/syntax/policy-file#tests) in your tailnet policy file that cover all the permissions you need to verify.\r\n- [Use the access control rules preview](https://tailscale.com/docs/features/tailnet-policy-file/manage-tailnet-policies): The admin console's policy file editor includes a preview feature that shows what changes your edits will make to the effective policy. Review this carefully before applying changes.\r\n- [Staged rollout](https://tailscale.com/docs/reference/troubleshooting/grants#testing-strategies): For significant changes, consider a staged rollout to a subset of devices or users before applying the changes to your entire tailnet.\r\n\r\nBy thoroughly testing changes before deployment and monitoring for issues afterward, you can identify and resolve problems before they affect your users.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Troubleshooting grants</h1>\n<p>Last validated: Jan 12, 2026</p>\n<p><a href=\"https://tailscale.com/docs/features/access-control/grants\">Grants</a> are Tailscale's unified approach to defining access controls for both <a href=\"https://tailscale.com/docs/features/access-control/grants/grants-app-capabilities\">network and application layers</a> in your Tailscale network (known as a <a href=\"https://tailscale.com/docs/concepts/tailnet\">tailnet</a>). This guide walks you through diagnosing and solving common grant-related problems, progressing from basic verification techniques to resolving complex authorization scenarios.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/troubleshooting/grants#diagnosing-grant-issues\">Diagnosing grant issues</a></h2>\n<p>This section covers the tools and methods available for inspecting your grant policies, verifying policy compilation, and examining how the Tailscale policy engine applies permissions to specific devices or users. Using these diagnostic techniques will help you identify the root cause of most grant-related problems.</p>\n<p>Keep in mind that Tailscale validates the syntax of the <a href=\"https://tailscale.com/docs/features/tailnet-policy-file\">tailnet policy file</a>, including the grants section, when you save it. You won't be able to save it if it has a syntax error. This is true for our admin console editor, <a href=\"https://tailscale.com/docs/gitops\">GitOps</a>, <a href=\"https://tailscale.com/docs/integrations/terraform-provider\">Terraform</a>, and our API. You also won't be able to save the tailnet policy file if it refers to a target (such as a group) that is not defined.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/troubleshooting/grants#verify-your-grants-configuration\">Verify your grants configuration</a></h3>\n<p>The first step in troubleshooting is to verify that your grants are correctly defined in your <a href=\"https://tailscale.com/docs/features/tailnet-policy-file\">tailnet policy file</a>. You can use the <a href=\"https://tailscale.com/docs/features/tailnet-policy-file/manage-tailnet-policies\"><strong>Preview rules</strong></a> tab from the <a href=\"https://tailscale.com/docs/features/access-control\">Access controls</a> page of the admin console to check how the rules apply to specific users or tags. This can help you ensure the policy configuration will work as you intend it to.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/troubleshooting/grants#inspect-capabilities-with-whois\">Inspect capabilities with <code>whois</code></a></h3>\n<p>For diagnosing issues with <a href=\"https://tailscale.com/docs/features/access-control/grants/grants-app-capabilities\">application layer capabilities</a> granted to specific devices or users, the <a href=\"https://tailscale.com/docs/reference/tailscale-cli#whois\"><code>tailscale whois</code></a> command is invaluable. This command provides detailed information about a node, including all capabilities granted to it through your tailnet policy.</p>\n<p>To inspect the capabilities of a user or device, use its <a href=\"https://tailscale.com/docs/concepts/tailscale-ip-addresses\">Tailscale IP address</a>:</p>\n<pre><code class=\"language-shell\">tailscale whois 100.100.123.123\n</code></pre>\n<p>The output includes:</p>\n<ul>\n<li>Basic device or user information.</li>\n<li>Network addresses associated with the device.</li>\n<li>A list of all capabilities granted to the device.</li>\n</ul>\n<p>Pay special attention to the Capabilities section of the output, which details all application capabilities granted to the device. Each capability listing includes its full name and parameters, letting you verify that it is applying the correct permissions.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/troubleshooting/grants#resolve-common-issues\">Resolve common issues</a></h2>\n<p>Many grant-related issues stem from basic configuration problems or misunderstandings about <a href=\"https://tailscale.com/docs/reference/syntax/grants\">how grants work</a>. This section addresses some common issues you might encounter when working with grants.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/troubleshooting/grants#selector-matching-issues\">Selector matching issues</a></h3>\n<p><a href=\"https://tailscale.com/docs/reference/targets-and-selectors\">Selectors</a> might fail to match the intended targets. This happens when the selectors in your grants don't correctly identify the devices or users you're trying to permit.</p>\n<p>Common selector matching problems include:</p>\n<ul>\n<li>Misspelling email addresses or domain names.</li>\n<li>Using <a href=\"https://tailscale.com/docs/features/tags\">tag</a> that have been created but not applied to any devices.</li>\n<li>Using group names that have been created but not populated with users.</li>\n<li>Forgetting to prefix group names with <code>group:</code> or tag names with <code>tag:</code>. This type of syntax error will be caught automatically unless there's also a host with the same name as the group or tag.</li>\n</ul>\n<p>To troubleshoot selector matching issues:</p>\n<ol>\n<li>Confirm that tags referenced in your grants have been applied to the appropriate devices.</li>\n<li>Check for typos in email addresses, especially if you're granting access to specific users.</li>\n<li>Use <a href=\"https://tailscale.com/docs/reference/tailscale-cli#status\"><code>tailscale status</code></a> to verify the tags applied to your devices.</li>\n</ol>\n<p>You must run this command on each device you're checking.</p>\n<p>If you're using <a href=\"https://tailscale.com/docs/reference/targets-and-selectors#autogroups\">autogroups</a> (such as <code>autogroup:member</code>), make sure you understand the devices within each autogroup. For example, <code>autogroup:member</code> includes all users who are members of your tailnet, but not devices shared from other tailnets.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/troubleshooting/grants#less-common-and-complex-issues\">Less common and complex issues</a></h2>\n<p>Beyond basic configuration problems, you might encounter more complex issues with grants, especially when implementing sophisticated <a href=\"https://tailscale.com/docs/features/access-control\">access control policies</a> (such as posture checks, route filtering, or custom <a href=\"https://tailscale.com/docs/features/access-control/grants/grants-app-capabilities\">application capabilities</a>). These issues often require a deeper understanding of how the Tailscale policy engine processes and applies grants.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/troubleshooting/grants#problems-with-via-field-routing\">Problems with <code>via</code> field routing</a></h3>\n<p>The <a href=\"https://tailscale.com/docs/features/access-control/grants/grants-via\"><code>via</code> field in grants</a> lets you segment resource access through different routers based on specific criteria. However, misconfiguration can lead to routing failures or unexpected traffic paths.</p>\n<p>Common <code>via</code> routing issues include:</p>\n<ul>\n<li>Specifying a <code>via</code> target that isn't reachable from the source.</li>\n<li>Using a <code>via</code> target with subnet routers that don't have the appropriate <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet routes</a> advertised.</li>\n<li>Using a <code>via</code> target with <a href=\"https://tailscale.com/docs/features/app-connectors\">app connectors</a> that have not been appropriately configured.</li>\n<li>Using a <code>via</code> target with exit nodes that have not been approved.</li>\n<li>Missing <code>via</code> field when intending to route traffic to subnet routes, app connectors, or <a href=\"https://tailscale.com/docs/features/exit-nodes\">exit nodes</a>.</li>\n</ul>\n<p>To troubleshoot <code>via</code> routing issues:</p>\n<ol>\n<li>Verify that the device specified in the <code>via</code> field exists and is online using <a href=\"https://tailscale.com/docs/reference/tailscale-cli#status\"><code>tailscale status</code></a>.</li>\n<li>Confirm that the <code>via</code> device has the appropriate configuration.</li>\n<li>For <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet routers</a>, check that subnet routes are advertised using <code>tailscale status --routes</code>.</li>\n<li>For <a href=\"https://tailscale.com/docs/features/app-connectors\">app connectors</a>, check that the app connector is properly configured.</li>\n<li>For <a href=\"https://tailscale.com/docs/features/exit-nodes\">exit nodes</a>, check that the exit node has been approved in the admin console.</li>\n<li>Check that the <code>via</code> device is reachable from the source device using <a href=\"https://tailscale.com/docs/reference/tailscale-cli#ping\"><code>tailscale ping</code></a>.</li>\n<li>Verify that the destination is reachable through the <code>via</code> device by examining logs on the <code>via</code> device.</li>\n</ol>\n<p>Example of a correct <code>via</code> configuration:</p>\n<pre><code class=\"language-json\">\"grants\": [\\\r\n  {\\\r\n    \"src\": [\"group:eng\"],\\\r\n    \"dst\": [\"192.0.2.0/24\"],\\\r\n    \"ip\":  [\"*\"],\\\r\n    \"via\": [\"tag:subnet-router\"]\\\r\n  }\\\r\n]\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<p>In this example, make sure that a device with the <code>tag:subnet-router</code> tag exists, is online, and has the <code>192.0.2.0/24</code> subnet route advertised.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/troubleshooting/grants#device-posture-verification-failures\">Device posture verification failures</a></h3>\n<p>The <code>srcPosture</code> field lets you restrict access based on <a href=\"https://tailscale.com/docs/features/device-posture\">device posture</a> conditions.</p>\n<p>Common device posture issues include:</p>\n<ul>\n<li>Devices running outdated <a href=\"https://tailscale.com/docs/reference/tailscale-client-versions\">Tailscale versions</a> that don't support posture checking.</li>\n<li>Posture conditions that are too restrictive or impossible to meet.</li>\n<li>Misconfigured posture conditions with syntax errors.</li>\n<li>Devices missing required attributes for posture checking.</li>\n</ul>\n<p>To troubleshoot device posture issues:</p>\n<ol>\n<li>Verify that all devices are running an up-to-date version of the Tailscale client. Versions prior to 1.52.0 don't support posture checking.</li>\n<li>Review the posture conditions in your tailnet policy file for correctness.</li>\n<li>Use <a href=\"https://tailscale.com/docs/reference/tailscale-cli#status\"><code>tailscale status --self</code></a> to get the device attributes that are checked for posture verification.</li>\n<li>Test with more permissive posture conditions first, then gradually tighten restrictions.</li>\n</ol>\n<p>Example of device posture verification:</p>\n<pre><code class=\"language-json\">\"postures\": {\r\n  \"posture:latest\": [\\\r\n    \"node:tsVersion >= '1.42.0'\",\\\r\n    \"node:os == 'linux'\"\\\r\n  ]\r\n},\r\n\"grants\": [\\\r\n  {\\\r\n    \"src\": [\"group:eng\"],\\\r\n    \"dst\": [\"tag:prod\"],\\\r\n    \"ip\":  [\"*\"]\\\r\n    \"srcPosture\": [\"posture:latest\"]\\\r\n  }\\\r\n]\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<p>If devices are failing posture checks, temporarily remove the <code>srcPosture</code> field to verify that the grant works without posture conditions, then add them back one by one to identify the problematic condition.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/troubleshooting/grants#application-capability-integration-issues\">Application capability integration issues</a></h3>\n<p>Integrating <a href=\"https://tailscale.com/docs/features/access-control/grants/grants-app-capabilities\">application capabilities</a> with grants can introduce issues when applications don't correctly interpret the capabilities provided by the <a href=\"https://tailscale.com/docs/install\">Tailscale client</a>.</p>\n<p>Common application capability issues include:</p>\n<ul>\n<li>Applications not querying the local Tailscale client for capabilities.</li>\n<li>Incorrect capability names or parameter structures.</li>\n<li>Applications misinterpreting the capabilities returned by the Tailscale client.</li>\n</ul>\n<p>To troubleshoot application capability issues:</p>\n<ol>\n<li>Verify that your application is correctly querying the Tailscale client for capabilities using the <a href=\"https://pkg.go.dev/tailscale.com/ipn/localapi\">LocalAPI</a>. This is only required if the application doesn't use the <a href=\"https://tailscale.com/docs/features/tsnet\"><code>tsnet</code> library</a>.</li>\n<li>Check that the capability name matches exactly what your application expects.</li>\n<li>Confirm that the parameters in your grant match the schema expected by your application.</li>\n<li>Test with simplified capability parameters first, then add complexity.</li>\n</ol>\n<p>Example of a correct application capability grant:</p>\n<pre><code class=\"language-json\">\"grants\": [\\\r\n  {\\\r\n    \"src\": [\"group:eng\"],\\\r\n    \"dst\": [\"tag:tailsql\"],\\\r\n    \"ip\":  [\"tcp:443\"],\\\r\n    \"app\": {\\\r\n      \"tailscale.com/cap/tailsql\": [\\\r\n        {\\\r\n          \"dataSrc\": [\"prod\", \"staging\"]\\\r\n        }\\\r\n      ]\\\r\n    }\\\r\n  }\\\r\n]\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<p>In this example, make sure that the application running on devices with the <code>tag:tailsql</code> tag is correctly checking for the <code>tailscale.com/cap/tailsql</code> capability and properly interpreting the <code>dataSrc</code> parameter.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/troubleshooting/grants#prevention-strategies\">Prevention strategies</a></h2>\n<p>This section outlines best practices for designing, implementing, and maintaining grants in your tailnet policy. By following these recommendations, you can minimize issues and streamline troubleshooting when problems do arise.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/troubleshooting/grants#design-principles-for-effective-grants\">Design principles for effective grants</a></h3>\n<ul>\n<li><a href=\"https://tailscale.com/learn/principle-of-least-privilege\"><strong>Least privilege</strong></a>: Grant only the minimum permissions needed for each source-destination pair. Be specific about ports and protocols in the <code>ip</code> field when appropriate.</li>\n<li><a href=\"https://tailscale.com/docs/reference/troubleshooting/grants#design-principles-for-effective-grants\"><strong>Logical grouping</strong></a>: Organize related grants together and use comments to explain their purpose. This makes the policy file more readable and easier to maintain.</li>\n<li><a href=\"https://tailscale.com/docs/reference/troubleshooting/grants#design-principles-for-effective-grants\"><strong>Standardized naming</strong></a>: Use consistent naming conventions for groups, tags, and IP sets referenced in your grants. This reduces the risk of typos and makes troubleshooting easier.</li>\n<li><a href=\"https://tailscale.com/docs/reference/troubleshooting/grants#design-principles-for-effective-grants\"><strong>Progressive refinement</strong></a>: Start with broad grants and refine them over time as you better understand your access control requirements. This approach is less likely to cause unexpected denials.</li>\n<li><a href=\"https://tailscale.com/docs/reference/troubleshooting/grants#design-principles-for-effective-grants\"><strong>Documentation</strong></a>: Document your grants with comments in the policy file, explaining why each grant exists and what it's intended to permit.</li>\n</ul>\n<p>Following these principles will result in a more maintainable policy file that's less prone to issues and easier to troubleshoot when problems occur.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/troubleshooting/grants#testing-strategies\">Testing strategies</a></h3>\n<p>Consider using testing strategies before deploying changes to your grants:</p>\n<ul>\n<li><a href=\"https://tailscale.com/docs/reference/troubleshooting/grants#testing-strategies\">Document test cases</a>: Create a set of <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tests\">tests</a> in your tailnet policy file that cover all the permissions you need to verify.</li>\n<li><a href=\"https://tailscale.com/docs/features/tailnet-policy-file/manage-tailnet-policies\">Use the access control rules preview</a>: The admin console's policy file editor includes a preview feature that shows what changes your edits will make to the effective policy. Review this carefully before applying changes.</li>\n<li><a href=\"https://tailscale.com/docs/reference/troubleshooting/grants#testing-strategies\">Staged rollout</a>: For significant changes, consider a staged rollout to a subset of devices or users before applying the changes to your entire tailnet.</li>\n</ul>\n<p>By thoroughly testing changes before deployment and monitoring for issues afterward, you can identify and resolve problems before they affect your users.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}