{"slug":"visual-policy-editor-reference","title":"Visual policy editor reference","tags":["tailscale","access-control"],"agent_summary":"Last validated: Dec 2, 2025","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Visual policy editor reference\r\n\r\nLast validated: Dec 2, 2025\r\n\r\nThe [Tailscale visual policy editor](https://tailscale.com/docs/features/visual-editor) gives you an interactive graphical interface for managing access control policies in a Tailscale network (known as a tailnet). This reference documents all interface elements, forms, controls, and their associated help information to help you effectively use the visual editor. For a comprehensive understanding of the underlying policy syntax, refer to [Tailscale's policy syntax documentation](https://tailscale.com/docs/reference/syntax/policy-file).\r\n\r\nRefer to the [targets documentation](https://tailscale.com/docs/reference/targets-and-selectors) for detailed information about available targets for sources, destinations, and other fields.\r\n\r\n## [General access rules](https://tailscale.com/docs/reference/visual-editor\\#general-access-rules)\r\n\r\n![General access rules tab with two rules: first allows all users and devices to access all destinations on all ports, second restricts tag:unraid access on all ports.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fgeneral-rules.d8086c09.png&w=3840&q=75)\r\n\r\nGeneral access rules control network-level and application-level access between devices in your tailnet using [grants syntax](https://tailscale.com/docs/features/access-control/grants). These rules determine which sources can connect to which destinations on specified ports and protocols. The visual editor translates these rules into the underlying grant structure in your tailnet policy file.\r\n\r\nThe visual editor uses grants syntax on the backend. This means that if you create an access control policy using the ACL syntax in the JSON editor, it automatically converts to grants syntax when you edit the policy using the visual editor. Grants syntax supports all the same capabilities as ACL syntax with additional features like [route filtering](https://tailscale.com/docs/features/access-control/grants/grants-via) and [app capabilities](https://tailscale.com/docs/features/access-control/grants/grants-app-capabilities). Refer to [grants versus ACLs](https://tailscale.com/docs/reference/grants-vs-acls) for more information.\r\n\r\nEach general access rule uses grants syntax, which consists of three main components: sources, destinations, and network restrictions. Grants also support additional components like the `via` field and app capabilities for more advanced access control scenarios. For a complete overview of grants syntax, refer to the [grants syntax reference](https://tailscale.com/docs/reference/syntax/grants).\r\n\r\nThe rules table displays all configured access rules with their sources, destinations, and network restrictions. The ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu for each rule lets you edit and delete operations. For examples of common access patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n### [Add a general access rule](https://tailscale.com/docs/reference/visual-editor\\#add-a-general-access-rule)\r\n\r\n![Add general access rule form with fields for source, destination, and network restrictions (ports and protocols).](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fgeneral-rules-add.92ec3351.png&w=3840&q=75)\r\n\r\nTo add a general access rule using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select **Add rule** from the **General access rules** tab.\r\n3. Configure the basic fields:\r\n1. **Source**: Define who can connect. Select users, groups, devices, or tags that start connections.\r\n2. **Destination**: Define what the source can connect to. Select the devices, services, or resources that receive connections.\r\n3. **Port and protocol**: Choose specific ports and protocols or select **All ports and protocols**.\r\n4. (Optional) Use the **Note** field to document your rationale for the rule.\r\n4. (Optional) Expand **Advanced options** to configure additional settings:\r\n1. **Device posture**: Specify device posture rules that must be true to let these connections through.\r\n2. **Via**: Specify exit nodes, subnet routers, or app connectors that should route the source to the destination.\r\n3. **App capabilities**: Define permissions that applications can act on when accessed over the tailnet.\r\n5. Review the JSON preview panel to understand the underlying grant syntax.\r\n6. Select **Save grant** to apply the rule.\r\n\r\n### [Edit a general access rule](https://tailscale.com/docs/reference/visual-editor\\#edit-a-general-access-rule)\r\n\r\nTo edit a general access rule using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the rule to edit, then select **Edit**.\r\n3. Update the rule fields and settings.\r\n4. Select **Save grant** to apply the updated rule.\r\n\r\n### [Delete a general access rule](https://tailscale.com/docs/reference/visual-editor\\#delete-a-general-access-rule)\r\n\r\nTo delete a general access rule using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the rule to edit.\r\n3. Select **Delete**.\r\n\r\nThere is no confirmation required, but you have a brief moment to undo the deletion.\r\n\r\n## [Tailscale SSH](https://tailscale.com/docs/reference/visual-editor\\#tailscale-ssh)\r\n\r\n![Tailscale SSH tab showing two SSH rules: first allows autogroup:member to access autogroup:self as autogroup:nonroot and root, second allows autogroup:member to access autogroup:self as sally, autogroup:nonroot, and root with 1m0s check mode.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ftailscale-ssh.545e799c.png&w=3840&q=75)\r\n\r\n[Tailscale SSH rules](https://tailscale.com/docs/features/tailscale-ssh) control SSH access to devices in your tailnet. These rules work alongside general access rules to provide secure SSH connectivity without managing SSH keys. The SSH implementation leverages your existing identity provider for authentication, eliminating the traditional complexity of SSH key distribution and rotation.\r\n\r\nSSH rules extend basic network access with SSH-specific controls that enhance security and ease of management. Understanding these components helps you create SSH policies that balance security with usability.\r\n\r\nThe **Source** field identifies who can start SSH connections. These typically include users or groups from your identity provider. The **Destination** field specifies which devices accept SSH connections, often identified by tags like `tag:server` or `tag:bastion`.\r\n\r\nDestination [users](https://tailscale.com/docs/reference/syntax/policy-file#users) define which user accounts are accessible on the destination. You might specify `autogroup:nonroot` to prevent root access or use email-based matching to map identity provider users to local accounts. **Check mode** determines whether to require periodic re-authentication, adding an extra security layer for sensitive connections.\r\n\r\n### [Add an SSH rule](https://tailscale.com/docs/reference/visual-editor\\#add-an-ssh-rule)\r\n\r\nTo add a Tailscale SSH rule using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select **Add rule** from the **Tailscale SSH** tab.\r\n3. Configure the SSH connection:\r\n1. **Source**: Select users or groups who can start SSH connections.\r\n2. **Destination**: Choose destination devices or tags.\r\n3. **As destination user**: Specify usernames on the host. Options include `autogroup:nonroot`, `root`, or matching local users with email.\r\n4. **Check mode**: Enable to require authentication checks before letting connections through. Recommended for user-initiated SSH connections.\r\n5. **Check period**: When check mode is enabled, specify the duration (for example, `12h`).\r\n6. (Optional) Use the **Note** field to document the purpose of the SSH rule.\r\n4. (Optional) Configure advanced options if needed:\r\n1. **Recorder**: Specify the recorder node tag to receive SSH session recordings. Leave empty to disable recordings.\r\n2. **Enforce recorder**: Require session recording for connections.\r\n3. **Device posture**: Apply device requirements for SSH access.\r\n5. Review the JSON preview and select **Save SSH rule**.\r\n\r\n#### [Check mode best practices](https://tailscale.com/docs/reference/visual-editor\\#check-mode-best-practices)\r\n\r\nEnable **Check mode** for rules that let humans start SSH connections. This adds an authentication layer that verifies user identity before granting access. The **Check period** determines how long connections remain authorized before requiring re-authentication. Setting appropriate **Check period** values balances security with user convenience.\r\n\r\nFor automated processes or service accounts, you might disable **Check mode** to prevent interruptions. However, these connections should have tightly scoped permissions and use [tag-based identities](https://tailscale.com/docs/features/tags) rather than personal credentials.\r\n\r\n### [Edit an SSH rule](https://tailscale.com/docs/reference/visual-editor\\#edit-an-ssh-rule)\r\n\r\n![Edit SSH rule form showing fields for source, destination, destination users, and check mode settings.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ftailscale-ssh-edit.99acf768.png&w=3840&q=75)\r\n\r\nTo edit a Tailscale SSH rule using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **Tailscale SSH** tab.\r\n3. Select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the SSH rule to edit, then select **Edit**.\r\n4. Update the rule fields.\r\n5. (Optional) Expand **Advanced options** to update **Recorder**, **Enforce recorder**, or **Device posture** settings.\r\n6. Select **Save SSH rule** to apply the updated rule.\r\n\r\n### [Delete an SSH rule](https://tailscale.com/docs/reference/visual-editor\\#delete-an-ssh-rule)\r\n\r\nTo delete a Tailscale SSH rule using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **Tailscale SSH** tab.\r\n3. Select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the SSH rule to delete.\r\n4. Select **Delete**.\r\n\r\n## [Groups](https://tailscale.com/docs/reference/visual-editor\\#groups)\r\n\r\n![Groups tab displaying User-defined groups section (empty) and Autogroups section showing built-in groups like autogroup:member (2 users), autogroup:owner (1 user), autogroup:admin (2 users), and various role-based autogroups with 0 members.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fgroups.e54632d5.png&w=3840&q=75)\r\n\r\n[Groups](https://tailscale.com/docs/reference/targets-and-selectors) organize users for simplified access control management. The **Groups** tab contains sections for user-defined groups, synced groups from identity providers, and built-in autogroups. Groups reduce policy complexity by letting you manage collections of users rather than individuals, making your policies more maintainable as your organization grows. For detailed information about group types and usage, refer to the [targets documentation](https://tailscale.com/docs/reference/targets-and-selectors).\r\n\r\n### [User-defined groups](https://tailscale.com/docs/reference/visual-editor\\#user-defined-groups)\r\n\r\nCreate and manage [custom user groups](https://tailscale.com/docs/reference/targets-and-selectors) to use in access control policies. Groups improve policy management by letting you reference collections of users rather than individuals. This abstraction makes policies more readable and reduces the maintenance burden when team membership changes.\r\n\r\nChanges to group membership immediately affect all policies referencing that group.\r\n\r\n### [Add a user-defined group](https://tailscale.com/docs/reference/visual-editor\\#add-a-user-defined-group)\r\n\r\n![Create group form with fields for group name and members selection.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fgroups-add.96e3ae82.png&w=3840&q=75)\r\n\r\nTo add a user-defined group using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select **Create group** from the **Groups** tab.\r\n3. Configure the group settings:\r\n1. **Group name**: Enter a descriptive name (such as \"dev\" or \"design\").\r\n2. **Members**: Search and select users by name or email address.\r\n3. (Optional) Use the **Note** field to document the group's purpose.\r\n4. View the members table to confirm selections.\r\n5. Select **Save group** to create the group.\r\n\r\n### [Edit a user-defined group](https://tailscale.com/docs/reference/visual-editor\\#edit-a-user-defined-group)\r\n\r\nTo edit a user-defined group using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **Groups** tab.\r\n3. In the **User-defined groups** section, select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the group to edit, then select **Edit**.\r\n4. Update the group name, members, or note.\r\n5. Select **Save group** to apply the updated group configuration.\r\n\r\n### [Delete a user-defined group](https://tailscale.com/docs/reference/visual-editor\\#delete-a-user-defined-group)\r\n\r\nTo delete a user-defined group using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **Groups** tab.\r\n3. In the **User-defined** groups section, select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the group to delete.\r\n4. Select **Delete**.\r\n\r\n### [Synced groups](https://tailscale.com/docs/reference/visual-editor\\#synced-groups)\r\n\r\n[Synced groups](https://tailscale.com/docs/reference/syntax/policy-file#synced-groups) automatically populate from your identity provider through SCIM integration. These groups are read-only in the visual editor. Membership changes must occur in your identity provider and syncs to Tailscale automatically. This integration ensures that your tailnet access control aligns with your organization's identity management processes. You can configure synced groups with your identity provider, including [Google SSO integration](https://tailscale.com/docs/integrations/google-sync).\r\n\r\nThe synchronization typically occurs within minutes of changes in your identity provider. You can reference synced groups in policies using the `group:` prefix followed by the group name from your identity provider.\r\n\r\n### [Autogroups](https://tailscale.com/docs/reference/visual-editor\\#autogroups)\r\n\r\nTailscale offers built-in, dynamically generated groups called [autogroups](https://tailscale.com/docs/reference/targets-and-selectors#autogroups). These groups automatically include users with specific roles or properties. Autogroups remove the need to manually maintain groups for role-based access control.\r\n\r\n## [Tags](https://tailscale.com/docs/reference/visual-editor\\#tags)\r\n\r\n![Tags tab showing two defined tags: tag:example owned by autogroup:admin, and tag:mytag owned by autogroup:admin and ostrich.zebra@example.com.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ftags.f874acf3.png&w=3840&q=75)\r\n\r\n[Tags](https://tailscale.com/docs/features/tags) organize non-user devices like servers into functional groups for use in access control policies. Tags let you group devices by function, environment, or any other logical categorization. Unlike user-based groups, tags apply to devices and persist across authentication sessions.\r\n\r\nThe tags table displays all defined tags with their owners. You can use the search field above the table to filter the results by tag name or owner.\r\n\r\nBy default [Owners, Admins, and Network admins](https://tailscale.com/docs/reference/user-roles) are tag owners for all tags.properties.\r\n\r\n### [Add a tag](https://tailscale.com/docs/reference/visual-editor\\#add-a-tag)\r\n\r\n![Create tag form with fields for tag name and tag owners selection.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ftags-add.046faa4b.png&w=1080&q=75)\r\n\r\nTo add a tag using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select **Create tag** from the **Tags** tab.\r\n3. Configure the tag settings:\r\n1. **Tag name**: Enter a name without the \"tag:\" prefix (for example, \"prod\", \"server\").\r\n2. **Tag owner**: Select users or groups who can apply this tag (if none specified, implicitly owned by owners, admins, and network admins).\r\n3. (Optional) Use the **Note** field to document the tag's purpose.\r\n4. Select **Save tag** to create the tag.\r\n\r\n### [Edit a tag](https://tailscale.com/docs/reference/visual-editor\\#edit-a-tag)\r\n\r\n![Edit tag form showing fields for modifying tag name and owners.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ftags-edit.ea2a8518.png&w=1080&q=75)\r\n\r\nTo edit a tag using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **Tags** tab.\r\n3. Select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the tag to edit, then select **Edit**.\r\n4. Update the tag settings.\r\n5. Select **Save tag** to apply the updated tag configuration.\r\n\r\n### [Delete a tag](https://tailscale.com/docs/reference/visual-editor\\#delete-a-tag)\r\n\r\nTo delete a tag using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **Tags** tab.\r\n3. Select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the tag to delete.\r\n4. Select **Delete**.\r\n\r\nDeleting a tag removes it from all devices, potentially affecting access control rules that reference it.\r\n\r\n## [IP sets](https://tailscale.com/docs/reference/visual-editor\\#ip-sets)\r\n\r\n![IP sets tab displaying ipset:databases with three IP addresses added: 100.100.106.101, 100.100.106.103, and 100.100.106.104.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fip-sets.1f7cbbd7.png&w=3840&q=75)\r\n\r\n[IP sets](https://tailscale.com/docs/features/tailnet-policy-file/ip-sets) are collections of IP addresses, hosts, and subnets to use in access control policies. They improve policy management by letting you reference groups of network addresses with a single identifier. IP sets support composition, letting you build complex network definitions from simpler components.\r\n\r\nIP sets support composition through **Add** and **Remove** operations. Start with broad inclusions using **Add**, then refine the set using **Remove** to exclude specific ranges. This approach lets you create flexible network segmentation without duplicating IP definitions.\r\n\r\nFor example, you might add `10.0.0.0/8` to include your entire private network, then remove `10.0.1.0/24` to exclude a specific subnet. This composition model helps maintain complex policies as your infrastructure evolves.\r\n\r\n### [Add an IP set](https://tailscale.com/docs/reference/visual-editor\\#add-an-ip-set)\r\n\r\n![Create IP set form with fields for name and targets to add or remove from the set.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fip-sets-add.d86670f8.png&w=1080&q=75)\r\n\r\nTo add an IP set using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select **Create IP set** from the **IP sets** tab.\r\n3. Configure the IP set:\r\n4. **Name**: Enter a descriptive name for the IP set.\r\n5. (Optional) Use the **Note** field to document the set's purpose.\r\n6. (Optional) Configure targets in the **TARGETS** section:\r\n1. Select **Add** or **Remove** from the dropdown list.\r\n2. Enter CIDRs, IP addresses, hosts, or other IP sets.\r\n3. Select **X** to remove target rows.\r\n4. Select the plus icon to add more rows.\r\n7. Select **Save IP set** to create the IP set.\r\n\r\n### [Edit an IP set](https://tailscale.com/docs/reference/visual-editor\\#edit-an-ip-set)\r\n\r\nTo edit an IP set using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **IP sets** tab.\r\n3. Select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the IP set to edit, then select **Edit**.\r\n4. Update the IP set configuration.\r\n5. Select **Save IP set** to apply the updated IP set configuration.\r\n\r\n### [Delete an IP set](https://tailscale.com/docs/reference/visual-editor\\#delete-an-ip-set)\r\n\r\nTo delete an IP set using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **IP sets** tab.\r\n3. Select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the IP set to delete.\r\n4. Select **Delete**.\r\n\r\n## [Hosts](https://tailscale.com/docs/reference/visual-editor\\#hosts)\r\n\r\n![Hosts tab showing one host definition: 'ahost' mapped to IP address 100.100.100.105.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fhosts.e8dd63cb.png&w=3840&q=75)\r\n\r\n[Hosts](https://tailscale.com/docs/reference/syntax/policy-file#hosts) create friendly names for IP addresses and CIDR ranges. This improves policy readability by replacing numeric addresses with meaningful identifiers. Instead of remembering that `192.168.1.100` is your database server, you can reference it as `database-primary` throughout your policies.\r\n\r\nYou can use host definitions in access rules, IP sets, and other policy components that accept IP addresses. The hosts table displays all defined hosts with their associated IP addresses for quick reference. Host names make your policies self-documenting and reduce errors from mistyped IP addresses.\r\n\r\n### [Add a host](https://tailscale.com/docs/reference/visual-editor\\#add-a-host)\r\n\r\n![Create host form with fields for host name and IP address or CIDR range.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fhosts-add.ff04f4cf.png&w=1080&q=75)\r\n\r\nTo add a host using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select **Create host** from the **Hosts** tab.\r\n3. Configure the host settings:\r\n1. **Host name**: Enter a descriptive name for the host.\r\n2. **IP address**: Enter an IP address or CIDR range.\r\n3. (Optional) Use the **Note** field to document the host's purpose.\r\n4. Select **Save host** to create the host entry.\r\n\r\n### [Edit a host](https://tailscale.com/docs/reference/visual-editor\\#edit-a-host)\r\n\r\n![Edit host form showing fields for modifying host name and IP address.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fhosts-edit.df464310.png&w=1080&q=75)\r\n\r\nTo edit a host using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **Hosts** tab.\r\n3. Select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the host to edit, then select **Edit**.\r\n4. Update the host name, IP address, or note.\r\n5. Select **Save host** to apply the updated host configuration.\r\n\r\n### [Delete a host](https://tailscale.com/docs/reference/visual-editor\\#delete-a-host)\r\n\r\nTo delete a host using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **Hosts** tab.\r\n3. Select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the host to delete.\r\n4. Select **Delete**.\r\n\r\n## [Node attributes](https://tailscale.com/docs/reference/visual-editor\\#node-attributes)\r\n\r\n![Node attributes tab showing one attribute rule applying drive:share capability to all users and devices.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fnode-attributes.5cbdad3b.png&w=3840&q=75)\r\n\r\n[Node attributes](https://tailscale.com/docs/reference/syntax/policy-file#nodeattrs) are device attributes and settings that you can use do things like control feature availability and device behavior across your tailnet. For example, you can use an attribute to enable [Tailscale Funnel](https://tailscale.com/docs/features/tailscale-funnel) or configure specialized behaviors without modifying individual device configurations.\r\n\r\nNode attributes commonly enable features that extend device capabilities. Understanding these common patterns helps you implement similar configurations for your specific needs.\r\n\r\nThe `funnel` attribute lets devices use [Tailscale Funnel](https://tailscale.com/docs/features/tailscale-funnel) for public access. The `mullvad` attribute grants access to [Mullvad exit nodes](https://tailscale.com/docs/features/exit-nodes/mullvad-exit-nodes) for enhanced privacy. The `drive:share` and `drive:access` attributes enable [Taildrive](https://tailscale.com/docs/features/taildrive) file sharing capabilities. The `disable-ipv4` attribute disables IPv4 addressing for IPv6-only deployments.\r\n\r\nEach attribute applies immediately to matching devices without requiring device reconfiguration or restart.\r\n\r\n### [Add a node attribute](https://tailscale.com/docs/reference/visual-editor\\#add-a-node-attribute)\r\n\r\n![Add node attribute form with fields for selecting targets and defining attributes or capabilities.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fnode-attribute-add.87801540.png&w=3840&q=75)\r\n\r\nTo add a node attribute using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select **Add node attribute** from the **Node attributes** tab.\r\n3. Configure the basic settings:\r\n   - **Targets**: Select devices, tags, users, or groups.\r\n   - (Optional) Use the **Note** field to document the attribute's purpose.\r\n   - **Attributes**: Select attributes to apply (for example, \"funnel\").\r\n   - (Optional) **IP Pools**: Enter CIDRs if the attribute requires IP assignments.\r\n4. (Optional) Configure application capabilities:\r\n1. **App**: Enter the domain identifier.\r\n2. **Capability**: Enter capability configuration in JSON format.\r\n3. Select **Add additional capability** for multiple capabilities per app.\r\n4. Select **Add another app** for multiple applications.\r\n5. Review the JSON preview panel.\r\n6. Select **Save node attribute** to apply the configuration.\r\n\r\n### [Edit a node attribute](https://tailscale.com/docs/reference/visual-editor\\#edit-a-node-attribute)\r\n\r\n![Edit node attribute form showing fields for modifying targets and attributes.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fnode-attributes-edit.72cbd386.png&w=3840&q=75)\r\n\r\nTo edit a node attribute using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **Node attributes** tab.\r\n3. Select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the node attribute to edit, then select **Edit**.\r\n4. Update the targets, attributes, IP pools, or app capabilities.\r\n5. Select **Save node attribute** to apply the updated configuration.\r\n\r\n### [Delete a node attribute](https://tailscale.com/docs/reference/visual-editor\\#delete-a-node-attribute)\r\n\r\nTo delete a node attribute using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **Node attributes** tab.\r\n3. Select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the node attribute to delete.\r\n4. Select **Delete**.\r\n\r\n## [Device posture](https://tailscale.com/docs/reference/visual-editor\\#device-posture)\r\n\r\n![Device posture tab displaying posture:recent_windows rule requiring node:os == windows and node:osVersion >= 11.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fdevice-posture.efd56960.png&w=3840&q=75)\r\n\r\n[Device posture](https://tailscale.com/docs/features/device-posture) rules define the requirements a device must meet for access control policies to prevent non-compliant devices from accessing sensitive resources. Posture rules can check for conditions like OS version, disk encryption status, and the presence of specific security software. You can create custom posture checks to enforce your organization's security policies.\r\n\r\nPosture checks run continuously, revoking access if devices fall out of compliance.\r\n\r\nYou can reference posture rules in the `srcPosture` field of access rules to enforce device compliance. Devices must meet all specified posture requirements to establish connections. Update posture definitions as security requirements evolve.\r\n\r\nPosture enforcement happens at connection time and periodically during active connections. If a device falls out of compliance, existing connections end and new connections fail until the device meets requirements again.\r\n\r\n### [Add a posture rule](https://tailscale.com/docs/reference/visual-editor\\#add-a-posture-rule)\r\n\r\n![Add device posture rule form with fields for rule name and device attribute conditions.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fdevice-posture-add.744732a5.png&w=1080&q=75)\r\n\r\nTo add a device posture rule using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select **Add device posture** from the **Device posture** tab.\r\n3. Configure the posture rule:\r\n4. **Name**: Enter a name for the device posture rule.\r\n5. (Optional) Use the **Note** field to document the requirements.\r\n6. Configure posture assertions:\r\n1. Select **Posture assertion** to expand options.\r\n2. Choose from **HOST INFO** attributes (`node:os`, `node:osVersion`, `node:tsAutoUpdate`, `node:tsReleaseTrack`, `node:tsStateEncrypted`, `node:tsVersion`).\r\n3. Configure comparison operators and values.\r\n7. Select **Save device posture** to create the rule.\r\n\r\nFor integration with enterprise device management systems, refer to the documentation for [Intune](https://tailscale.com/docs/integrations/mdm/intune), [Jamf Pro](https://tailscale.com/docs/integrations/jamf-pro), [Iru](https://tailscale.com/docs/integrations/iru) (formerly Kandji), [1Password XAM (Kolide)](https://tailscale.com/docs/integrations/kolide), and [SentinelOne](https://tailscale.com/docs/integrations/sentinelone).\r\n\r\n### [Edit a device posture rule](https://tailscale.com/docs/reference/visual-editor\\#edit-a-device-posture-rule)\r\n\r\n![Edit device posture rule form showing fields for modifying posture requirements and conditions.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fdevice-posture-edit.2744b47b.png&w=3840&q=75)\r\n\r\nTo edit a device posture rule using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **Device posture** tab.\r\n3. Select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the device posture rule to edit, then select **Edit**.\r\n4. Update the name, posture assertions, or note.\r\n5. Select **Save device posture** to apply the updated rule.\r\n\r\n### [Delete device posture rules](https://tailscale.com/docs/reference/visual-editor\\#delete-device-posture-rules)\r\n\r\nTo delete a device posture rule using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **Device posture** tab.\r\n3. Select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the device posture rule to delete.\r\n4. Select **Delete**.\r\n\r\n## [Auto approvers](https://tailscale.com/docs/reference/visual-editor\\#auto-approvers)\r\n\r\n![Auto approvers tab with Routes section showing 100.100.106.0/24 auto-approved for tag:mytag, and Exit nodes section showing tag:example as an auto-approved exit node.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fauto-approvers.f63dedcb.png&w=3840&q=75)\r\n\r\n[Auto approvers](https://tailscale.com/docs/reference/syntax/policy-file#autoapprovers) are policies that let you automatically approve specific operations, such as advertising subnet routes or exit nodes, without manual intervention.\r\n\r\n### [Routes](https://tailscale.com/docs/reference/visual-editor\\#routes)\r\n\r\nAutomatically approve [subnet route](https://tailscale.com/docs/features/subnet-routers) advertisements from users, groups, and tags. This removes manual approval for subnet routers. Route auto approval lets you scale without administrative bottlenecks.\r\n\r\n### [Add a route auto approver](https://tailscale.com/docs/reference/visual-editor\\#add-a-route-auto-approver)\r\n\r\n![Add route auto approver form with fields for route CIDR and approvers selection.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fauto-approvers-route-add.39c95d25.png&w=1080&q=75)\r\n\r\nTo add a route auto approver using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select **Add route** from the **Routes** section of the **Auto approvers** tab.\r\n3. Configure the auto approver:\r\n1. **Route**: Enter the route to auto approve (for example, `192.0.2.0/24`).\r\n2. **Route is auto approved for**: Select users, groups, or tags.\r\n3. (Optional) Use the **Note** field to document the approval rationale.\r\n4. Select **Save route auto approver** to create the rule.\r\n\r\n### [Edit a route auto approver](https://tailscale.com/docs/reference/visual-editor\\#edit-a-route-auto-approver)\r\n\r\nTo edit a subnet route auto approver using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **Auto approvers** tab.\r\n3. In the **Routes** section, select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the subnet route approval to edit, then select **Edit**.\r\n4. Update the route fields.\r\n5. Select **Save route auto approver** to apply the updated configuration.\r\n\r\n### [Delete a route auto approver](https://tailscale.com/docs/reference/visual-editor\\#delete-a-route-auto-approver)\r\n\r\nTo delete a subnet route auto approver using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **Auto approvers** tab.\r\n3. In the **Routes** section, select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the subnet route approval to delete.\r\n4. Select **Delete**.\r\n\r\n### [Exit nodes](https://tailscale.com/docs/reference/visual-editor\\#exit-nodes)\r\n\r\nAutomatically approve users, groups, and tags as [exit nodes](https://tailscale.com/docs/features/exit-nodes). This lets designated devices route internet traffic without manual approval. Exit node auto approval supports use cases like regional exit nodes or dedicated privacy infrastructure.\r\n\r\n### [Add an exit node auto approver](https://tailscale.com/docs/reference/visual-editor\\#add-an-exit-node-auto-approver)\r\n\r\n![Add exit node auto approver form with field for selecting users, groups, or tags as exit node approvers.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fauto-approvers-exit-nodes-add.a4a0ebf8.png&w=1080&q=75)\r\n\r\nTo add an exit node auto approver using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select **Add exit node** from the **Exit nodes** section of the **Auto approvers** tab.\r\n3. Configure the auto approver by selecting users, groups, or tags to be automatically approved as exit nodes.\r\n4. Select **Save exit node** to create the auto approval rule.\r\n\r\n### [Edit an exit node auto approver](https://tailscale.com/docs/reference/visual-editor\\#edit-an-exit-node-auto-approver)\r\n\r\nTo edit an exit node auto approver using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **Auto approvers** tab.\r\n3. In the **Exit nodes** section, select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the exit node to edit, then select **Edit**.\r\n4. Update the users, groups, or tags that are automatically approved as exit nodes.\r\n5. Select **Save exit node** to apply the updated configuration.\r\n\r\n### [Delete an exit node auto approver](https://tailscale.com/docs/reference/visual-editor\\#delete-an-exit-node-auto-approver)\r\n\r\nTo delete an exit node auto approver using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **Auto approvers** tab.\r\n3. In the **Exit nodes** section, select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the exit node to delete.\r\n4. Select **Delete**.\r\n\r\n## [Tests](https://tailscale.com/docs/reference/visual-editor\\#tests)\r\n\r\n![Tests tab with General tests section showing one test for alice@example.com with node:os macos accessing tag:example:80 with tcp or udp protocol, and SSH tests section showing crocus.cat@example.com can access 100.121.20.49 as root user.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ftests.dbc3484d.png&w=3840&q=75)\r\n\r\nFor an overview of tests and how they work in the visual policy editor, refer to the [tests section](https://tailscale.com/docs/features/visual-editor#tests) in the visual policy editor documentation. This reference documents the UI controls and procedures for managing tests.\r\n\r\nThe **Tests** tab contains sections for general access tests and SSH-specific tests. Tests act as regression protection, ensuring that policy modifications don't accidentally break existing access patterns.\r\n\r\n### [General tests](https://tailscale.com/docs/reference/visual-editor\\#general-tests)\r\n\r\nCreate validation tests that access control changes must pass before saving. These tests ensure policy modifications don't accidentally revoke important permissions or expose critical systems. Well-designed tests catch configuration errors before they affect production access.\r\n\r\n### [Add a general test](https://tailscale.com/docs/reference/visual-editor\\#add-a-general-test)\r\n\r\n![Add general test form with fields for source, posture attribute, accepted destinations, denied destinations, and protocol selection.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ftests-general-add.ab075441.png&w=3840&q=75)\r\n\r\nTo add a general test using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select **Add test** in the **General tests** section.\r\n3. Configure test parameters:\r\n   - **Source**: Specify the test source identity.\r\n   - **Source device posture attributes**: Add device conditions if posture rules apply.\r\n   - **Accept**: List destinations that should be accessible.\r\n   - **Deny**: List destinations that should be blocked.\r\n   - **Protocol**: Select the protocol to test.\r\n   - (Optional) Use the **Note** field to document the test's purpose.\r\n4. Review the JSON preview and select **Save test**.\r\n\r\n### [Edit a general test](https://tailscale.com/docs/reference/visual-editor\\#edit-a-general-test)\r\n\r\n![Edit general test form showing fields for modifying test conditions and assertions.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ftests-general-edit.0bccc674.png&w=3840&q=75)\r\n\r\nTo edit a general test using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **Tests** tab.\r\n3. In the **General tests** section, select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the test to edit, then select **Edit**.\r\n4. Update the test parameters.\r\n5. Select **Save test** to apply the updated test.\r\n\r\n### [Delete a general test](https://tailscale.com/docs/reference/visual-editor\\#delete-a-general-test)\r\n\r\nTo delete a general test using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **Tests** tab.\r\n3. In the **General tests** section, select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the test.\r\n4. Select **Delete**.\r\n\r\n### [SSH tests](https://tailscale.com/docs/reference/visual-editor\\#ssh-tests)\r\n\r\n[SSH tests](https://tailscale.com/docs/reference/syntax/policy-file#sshtests) let you write validation tests that Tailscale SSH policy changes must pass before you can save them. These tests verify SSH access rules work as intended. SSH tests validate both access permissions and authentication requirements. Tests run automatically when you save policy changes. Failed tests prevent the policy from saving and display error messages indicating which assertions failed.\r\n\r\n#### [Add a SSH test](https://tailscale.com/docs/reference/visual-editor\\#add-a-ssh-test)\r\n\r\n![Add SSH test form with fields for source, destination, accepted users, checked users, and denied destinations.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ftests-ssh-add.294645ec.png&w=3840&q=75)\r\n\r\nTo add an SSH test using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select **Add SSH test** from the **SSH tests** section of the **Tests** tab.\r\n3. Configure the SSH test parameters:\r\n1. **Source**: Specify the SSH connection source.\r\n2. **Destination**: Define the SSH target.\r\n3. **Accept**: Select users that should be allowed (options: autogroup:nonroot, root, Match local user with email).\r\n4. **Check**: Select users requiring check mode.\r\n5. **Deny**: Select users that should be denied.\r\n6. (Optional) Use the **Note** field to document the test scenario.\r\n4. Select **Save SSH test** to create the test.\r\n\r\n### [Edit a SSH test](https://tailscale.com/docs/reference/visual-editor\\#edit-a-ssh-test)\r\n\r\nTo edit an SSH test using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **Tests** tab.\r\n3. In the **SSH tests** section, select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the test to edit, then select **Edit**.\r\n4. Update the test parameters (Source, Destination, Accept, Check, Deny, and Note fields).\r\n5. Select **Save SSH test** to apply the updated test.\r\n\r\n### [Delete a SSH test](https://tailscale.com/docs/reference/visual-editor\\#delete-a-ssh-test)\r\n\r\nTo delete an SSH test using the [visual editor](https://tailscale.com/docs/features/visual-editor):\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n2. Select the **Tests** tab.\r\n3. In the **SSH tests** section, select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu of the test to delete.\r\n4. Select **Delete**.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Visual policy editor reference</h1>\n<p>Last validated: Dec 2, 2025</p>\n<p>The <a href=\"https://tailscale.com/docs/features/visual-editor\">Tailscale visual policy editor</a> gives you an interactive graphical interface for managing access control policies in a Tailscale network (known as a tailnet). This reference documents all interface elements, forms, controls, and their associated help information to help you effectively use the visual editor. For a comprehensive understanding of the underlying policy syntax, refer to <a href=\"https://tailscale.com/docs/reference/syntax/policy-file\">Tailscale's policy syntax documentation</a>.</p>\n<p>Refer to the <a href=\"https://tailscale.com/docs/reference/targets-and-selectors\">targets documentation</a> for detailed information about available targets for sources, destinations, and other fields.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/visual-editor#general-access-rules\">General access rules</a></h2>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fgeneral-rules.d8086c09.png&#x26;w=3840&#x26;q=75\" alt=\"General access rules tab with two rules: first allows all users and devices to access all destinations on all ports, second restricts tag:unraid access on all ports.\"></p>\n<p>General access rules control network-level and application-level access between devices in your tailnet using <a href=\"https://tailscale.com/docs/features/access-control/grants\">grants syntax</a>. These rules determine which sources can connect to which destinations on specified ports and protocols. The visual editor translates these rules into the underlying grant structure in your tailnet policy file.</p>\n<p>The visual editor uses grants syntax on the backend. This means that if you create an access control policy using the ACL syntax in the JSON editor, it automatically converts to grants syntax when you edit the policy using the visual editor. Grants syntax supports all the same capabilities as ACL syntax with additional features like <a href=\"https://tailscale.com/docs/features/access-control/grants/grants-via\">route filtering</a> and <a href=\"https://tailscale.com/docs/features/access-control/grants/grants-app-capabilities\">app capabilities</a>. Refer to <a href=\"https://tailscale.com/docs/reference/grants-vs-acls\">grants versus ACLs</a> for more information.</p>\n<p>Each general access rule uses grants syntax, which consists of three main components: sources, destinations, and network restrictions. Grants also support additional components like the <code>via</code> field and app capabilities for more advanced access control scenarios. For a complete overview of grants syntax, refer to the <a href=\"https://tailscale.com/docs/reference/syntax/grants\">grants syntax reference</a>.</p>\n<p>The rules table displays all configured access rules with their sources, destinations, and network restrictions. The <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu for each rule lets you edit and delete operations. For examples of common access patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#add-a-general-access-rule\">Add a general access rule</a></h3>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fgeneral-rules-add.92ec3351.png&#x26;w=3840&#x26;q=75\" alt=\"Add general access rule form with fields for source, destination, and network restrictions (ports and protocols).\"></p>\n<p>To add a general access rule using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select <strong>Add rule</strong> from the <strong>General access rules</strong> tab.</li>\n<li>Configure the basic fields:</li>\n<li><strong>Source</strong>: Define who can connect. Select users, groups, devices, or tags that start connections.</li>\n<li><strong>Destination</strong>: Define what the source can connect to. Select the devices, services, or resources that receive connections.</li>\n<li><strong>Port and protocol</strong>: Choose specific ports and protocols or select <strong>All ports and protocols</strong>.</li>\n<li>(Optional) Use the <strong>Note</strong> field to document your rationale for the rule.</li>\n<li>(Optional) Expand <strong>Advanced options</strong> to configure additional settings:</li>\n<li><strong>Device posture</strong>: Specify device posture rules that must be true to let these connections through.</li>\n<li><strong>Via</strong>: Specify exit nodes, subnet routers, or app connectors that should route the source to the destination.</li>\n<li><strong>App capabilities</strong>: Define permissions that applications can act on when accessed over the tailnet.</li>\n<li>Review the JSON preview panel to understand the underlying grant syntax.</li>\n<li>Select <strong>Save grant</strong> to apply the rule.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#edit-a-general-access-rule\">Edit a general access rule</a></h3>\n<p>To edit a general access rule using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the rule to edit, then select <strong>Edit</strong>.</li>\n<li>Update the rule fields and settings.</li>\n<li>Select <strong>Save grant</strong> to apply the updated rule.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#delete-a-general-access-rule\">Delete a general access rule</a></h3>\n<p>To delete a general access rule using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the rule to edit.</li>\n<li>Select <strong>Delete</strong>.</li>\n</ol>\n<p>There is no confirmation required, but you have a brief moment to undo the deletion.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/visual-editor#tailscale-ssh\">Tailscale SSH</a></h2>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ftailscale-ssh.545e799c.png&#x26;w=3840&#x26;q=75\" alt=\"Tailscale SSH tab showing two SSH rules: first allows autogroup:member to access autogroup:self as autogroup:nonroot and root, second allows autogroup:member to access autogroup:self as sally, autogroup:nonroot, and root with 1m0s check mode.\"></p>\n<p><a href=\"https://tailscale.com/docs/features/tailscale-ssh\">Tailscale SSH rules</a> control SSH access to devices in your tailnet. These rules work alongside general access rules to provide secure SSH connectivity without managing SSH keys. The SSH implementation leverages your existing identity provider for authentication, eliminating the traditional complexity of SSH key distribution and rotation.</p>\n<p>SSH rules extend basic network access with SSH-specific controls that enhance security and ease of management. Understanding these components helps you create SSH policies that balance security with usability.</p>\n<p>The <strong>Source</strong> field identifies who can start SSH connections. These typically include users or groups from your identity provider. The <strong>Destination</strong> field specifies which devices accept SSH connections, often identified by tags like <code>tag:server</code> or <code>tag:bastion</code>.</p>\n<p>Destination <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#users\">users</a> define which user accounts are accessible on the destination. You might specify <code>autogroup:nonroot</code> to prevent root access or use email-based matching to map identity provider users to local accounts. <strong>Check mode</strong> determines whether to require periodic re-authentication, adding an extra security layer for sensitive connections.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#add-an-ssh-rule\">Add an SSH rule</a></h3>\n<p>To add a Tailscale SSH rule using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select <strong>Add rule</strong> from the <strong>Tailscale SSH</strong> tab.</li>\n<li>Configure the SSH connection:</li>\n<li><strong>Source</strong>: Select users or groups who can start SSH connections.</li>\n<li><strong>Destination</strong>: Choose destination devices or tags.</li>\n<li><strong>As destination user</strong>: Specify usernames on the host. Options include <code>autogroup:nonroot</code>, <code>root</code>, or matching local users with email.</li>\n<li><strong>Check mode</strong>: Enable to require authentication checks before letting connections through. Recommended for user-initiated SSH connections.</li>\n<li><strong>Check period</strong>: When check mode is enabled, specify the duration (for example, <code>12h</code>).</li>\n<li>(Optional) Use the <strong>Note</strong> field to document the purpose of the SSH rule.</li>\n<li>(Optional) Configure advanced options if needed:</li>\n<li><strong>Recorder</strong>: Specify the recorder node tag to receive SSH session recordings. Leave empty to disable recordings.</li>\n<li><strong>Enforce recorder</strong>: Require session recording for connections.</li>\n<li><strong>Device posture</strong>: Apply device requirements for SSH access.</li>\n<li>Review the JSON preview and select <strong>Save SSH rule</strong>.</li>\n</ol>\n<h4><a href=\"https://tailscale.com/docs/reference/visual-editor#check-mode-best-practices\">Check mode best practices</a></h4>\n<p>Enable <strong>Check mode</strong> for rules that let humans start SSH connections. This adds an authentication layer that verifies user identity before granting access. The <strong>Check period</strong> determines how long connections remain authorized before requiring re-authentication. Setting appropriate <strong>Check period</strong> values balances security with user convenience.</p>\n<p>For automated processes or service accounts, you might disable <strong>Check mode</strong> to prevent interruptions. However, these connections should have tightly scoped permissions and use <a href=\"https://tailscale.com/docs/features/tags\">tag-based identities</a> rather than personal credentials.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#edit-an-ssh-rule\">Edit an SSH rule</a></h3>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ftailscale-ssh-edit.99acf768.png&#x26;w=3840&#x26;q=75\" alt=\"Edit SSH rule form showing fields for source, destination, destination users, and check mode settings.\"></p>\n<p>To edit a Tailscale SSH rule using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>Tailscale SSH</strong> tab.</li>\n<li>Select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the SSH rule to edit, then select <strong>Edit</strong>.</li>\n<li>Update the rule fields.</li>\n<li>(Optional) Expand <strong>Advanced options</strong> to update <strong>Recorder</strong>, <strong>Enforce recorder</strong>, or <strong>Device posture</strong> settings.</li>\n<li>Select <strong>Save SSH rule</strong> to apply the updated rule.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#delete-an-ssh-rule\">Delete an SSH rule</a></h3>\n<p>To delete a Tailscale SSH rule using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>Tailscale SSH</strong> tab.</li>\n<li>Select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the SSH rule to delete.</li>\n<li>Select <strong>Delete</strong>.</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/reference/visual-editor#groups\">Groups</a></h2>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fgroups.e54632d5.png&#x26;w=3840&#x26;q=75\" alt=\"Groups tab displaying User-defined groups section (empty) and Autogroups section showing built-in groups like autogroup:member (2 users), autogroup:owner (1 user), autogroup:admin (2 users), and various role-based autogroups with 0 members.\"></p>\n<p><a href=\"https://tailscale.com/docs/reference/targets-and-selectors\">Groups</a> organize users for simplified access control management. The <strong>Groups</strong> tab contains sections for user-defined groups, synced groups from identity providers, and built-in autogroups. Groups reduce policy complexity by letting you manage collections of users rather than individuals, making your policies more maintainable as your organization grows. For detailed information about group types and usage, refer to the <a href=\"https://tailscale.com/docs/reference/targets-and-selectors\">targets documentation</a>.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#user-defined-groups\">User-defined groups</a></h3>\n<p>Create and manage <a href=\"https://tailscale.com/docs/reference/targets-and-selectors\">custom user groups</a> to use in access control policies. Groups improve policy management by letting you reference collections of users rather than individuals. This abstraction makes policies more readable and reduces the maintenance burden when team membership changes.</p>\n<p>Changes to group membership immediately affect all policies referencing that group.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#add-a-user-defined-group\">Add a user-defined group</a></h3>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fgroups-add.96e3ae82.png&#x26;w=3840&#x26;q=75\" alt=\"Create group form with fields for group name and members selection.\"></p>\n<p>To add a user-defined group using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select <strong>Create group</strong> from the <strong>Groups</strong> tab.</li>\n<li>Configure the group settings:</li>\n<li><strong>Group name</strong>: Enter a descriptive name (such as \"dev\" or \"design\").</li>\n<li><strong>Members</strong>: Search and select users by name or email address.</li>\n<li>(Optional) Use the <strong>Note</strong> field to document the group's purpose.</li>\n<li>View the members table to confirm selections.</li>\n<li>Select <strong>Save group</strong> to create the group.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#edit-a-user-defined-group\">Edit a user-defined group</a></h3>\n<p>To edit a user-defined group using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>Groups</strong> tab.</li>\n<li>In the <strong>User-defined groups</strong> section, select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the group to edit, then select <strong>Edit</strong>.</li>\n<li>Update the group name, members, or note.</li>\n<li>Select <strong>Save group</strong> to apply the updated group configuration.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#delete-a-user-defined-group\">Delete a user-defined group</a></h3>\n<p>To delete a user-defined group using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>Groups</strong> tab.</li>\n<li>In the <strong>User-defined</strong> groups section, select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the group to delete.</li>\n<li>Select <strong>Delete</strong>.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#synced-groups\">Synced groups</a></h3>\n<p><a href=\"https://tailscale.com/docs/reference/syntax/policy-file#synced-groups\">Synced groups</a> automatically populate from your identity provider through SCIM integration. These groups are read-only in the visual editor. Membership changes must occur in your identity provider and syncs to Tailscale automatically. This integration ensures that your tailnet access control aligns with your organization's identity management processes. You can configure synced groups with your identity provider, including <a href=\"https://tailscale.com/docs/integrations/google-sync\">Google SSO integration</a>.</p>\n<p>The synchronization typically occurs within minutes of changes in your identity provider. You can reference synced groups in policies using the <code>group:</code> prefix followed by the group name from your identity provider.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#autogroups\">Autogroups</a></h3>\n<p>Tailscale offers built-in, dynamically generated groups called <a href=\"https://tailscale.com/docs/reference/targets-and-selectors#autogroups\">autogroups</a>. These groups automatically include users with specific roles or properties. Autogroups remove the need to manually maintain groups for role-based access control.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/visual-editor#tags\">Tags</a></h2>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ftags.f874acf3.png&#x26;w=3840&#x26;q=75\" alt=\"Tags tab showing two defined tags: tag:example owned by autogroup:admin, and tag:mytag owned by autogroup:admin and ostrich.zebra@example.com.\"></p>\n<p><a href=\"https://tailscale.com/docs/features/tags\">Tags</a> organize non-user devices like servers into functional groups for use in access control policies. Tags let you group devices by function, environment, or any other logical categorization. Unlike user-based groups, tags apply to devices and persist across authentication sessions.</p>\n<p>The tags table displays all defined tags with their owners. You can use the search field above the table to filter the results by tag name or owner.</p>\n<p>By default <a href=\"https://tailscale.com/docs/reference/user-roles\">Owners, Admins, and Network admins</a> are tag owners for all tags.properties.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#add-a-tag\">Add a tag</a></h3>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ftags-add.046faa4b.png&#x26;w=1080&#x26;q=75\" alt=\"Create tag form with fields for tag name and tag owners selection.\"></p>\n<p>To add a tag using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select <strong>Create tag</strong> from the <strong>Tags</strong> tab.</li>\n<li>Configure the tag settings:</li>\n<li><strong>Tag name</strong>: Enter a name without the \"tag:\" prefix (for example, \"prod\", \"server\").</li>\n<li><strong>Tag owner</strong>: Select users or groups who can apply this tag (if none specified, implicitly owned by owners, admins, and network admins).</li>\n<li>(Optional) Use the <strong>Note</strong> field to document the tag's purpose.</li>\n<li>Select <strong>Save tag</strong> to create the tag.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#edit-a-tag\">Edit a tag</a></h3>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ftags-edit.ea2a8518.png&#x26;w=1080&#x26;q=75\" alt=\"Edit tag form showing fields for modifying tag name and owners.\"></p>\n<p>To edit a tag using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>Tags</strong> tab.</li>\n<li>Select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the tag to edit, then select <strong>Edit</strong>.</li>\n<li>Update the tag settings.</li>\n<li>Select <strong>Save tag</strong> to apply the updated tag configuration.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#delete-a-tag\">Delete a tag</a></h3>\n<p>To delete a tag using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>Tags</strong> tab.</li>\n<li>Select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the tag to delete.</li>\n<li>Select <strong>Delete</strong>.</li>\n</ol>\n<p>Deleting a tag removes it from all devices, potentially affecting access control rules that reference it.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/visual-editor#ip-sets\">IP sets</a></h2>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fip-sets.1f7cbbd7.png&#x26;w=3840&#x26;q=75\" alt=\"IP sets tab displaying ipset:databases with three IP addresses added: 100.100.106.101, 100.100.106.103, and 100.100.106.104.\"></p>\n<p><a href=\"https://tailscale.com/docs/features/tailnet-policy-file/ip-sets\">IP sets</a> are collections of IP addresses, hosts, and subnets to use in access control policies. They improve policy management by letting you reference groups of network addresses with a single identifier. IP sets support composition, letting you build complex network definitions from simpler components.</p>\n<p>IP sets support composition through <strong>Add</strong> and <strong>Remove</strong> operations. Start with broad inclusions using <strong>Add</strong>, then refine the set using <strong>Remove</strong> to exclude specific ranges. This approach lets you create flexible network segmentation without duplicating IP definitions.</p>\n<p>For example, you might add <code>10.0.0.0/8</code> to include your entire private network, then remove <code>10.0.1.0/24</code> to exclude a specific subnet. This composition model helps maintain complex policies as your infrastructure evolves.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#add-an-ip-set\">Add an IP set</a></h3>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fip-sets-add.d86670f8.png&#x26;w=1080&#x26;q=75\" alt=\"Create IP set form with fields for name and targets to add or remove from the set.\"></p>\n<p>To add an IP set using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select <strong>Create IP set</strong> from the <strong>IP sets</strong> tab.</li>\n<li>Configure the IP set:</li>\n<li><strong>Name</strong>: Enter a descriptive name for the IP set.</li>\n<li>(Optional) Use the <strong>Note</strong> field to document the set's purpose.</li>\n<li>(Optional) Configure targets in the <strong>TARGETS</strong> section:</li>\n<li>Select <strong>Add</strong> or <strong>Remove</strong> from the dropdown list.</li>\n<li>Enter CIDRs, IP addresses, hosts, or other IP sets.</li>\n<li>Select <strong>X</strong> to remove target rows.</li>\n<li>Select the plus icon to add more rows.</li>\n<li>Select <strong>Save IP set</strong> to create the IP set.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#edit-an-ip-set\">Edit an IP set</a></h3>\n<p>To edit an IP set using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>IP sets</strong> tab.</li>\n<li>Select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the IP set to edit, then select <strong>Edit</strong>.</li>\n<li>Update the IP set configuration.</li>\n<li>Select <strong>Save IP set</strong> to apply the updated IP set configuration.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#delete-an-ip-set\">Delete an IP set</a></h3>\n<p>To delete an IP set using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>IP sets</strong> tab.</li>\n<li>Select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the IP set to delete.</li>\n<li>Select <strong>Delete</strong>.</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/reference/visual-editor#hosts\">Hosts</a></h2>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fhosts.e8dd63cb.png&#x26;w=3840&#x26;q=75\" alt=\"Hosts tab showing one host definition: &#x27;ahost&#x27; mapped to IP address 100.100.100.105.\"></p>\n<p><a href=\"https://tailscale.com/docs/reference/syntax/policy-file#hosts\">Hosts</a> create friendly names for IP addresses and CIDR ranges. This improves policy readability by replacing numeric addresses with meaningful identifiers. Instead of remembering that <code>192.168.1.100</code> is your database server, you can reference it as <code>database-primary</code> throughout your policies.</p>\n<p>You can use host definitions in access rules, IP sets, and other policy components that accept IP addresses. The hosts table displays all defined hosts with their associated IP addresses for quick reference. Host names make your policies self-documenting and reduce errors from mistyped IP addresses.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#add-a-host\">Add a host</a></h3>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fhosts-add.ff04f4cf.png&#x26;w=1080&#x26;q=75\" alt=\"Create host form with fields for host name and IP address or CIDR range.\"></p>\n<p>To add a host using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select <strong>Create host</strong> from the <strong>Hosts</strong> tab.</li>\n<li>Configure the host settings:</li>\n<li><strong>Host name</strong>: Enter a descriptive name for the host.</li>\n<li><strong>IP address</strong>: Enter an IP address or CIDR range.</li>\n<li>(Optional) Use the <strong>Note</strong> field to document the host's purpose.</li>\n<li>Select <strong>Save host</strong> to create the host entry.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#edit-a-host\">Edit a host</a></h3>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fhosts-edit.df464310.png&#x26;w=1080&#x26;q=75\" alt=\"Edit host form showing fields for modifying host name and IP address.\"></p>\n<p>To edit a host using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>Hosts</strong> tab.</li>\n<li>Select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the host to edit, then select <strong>Edit</strong>.</li>\n<li>Update the host name, IP address, or note.</li>\n<li>Select <strong>Save host</strong> to apply the updated host configuration.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#delete-a-host\">Delete a host</a></h3>\n<p>To delete a host using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>Hosts</strong> tab.</li>\n<li>Select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the host to delete.</li>\n<li>Select <strong>Delete</strong>.</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/reference/visual-editor#node-attributes\">Node attributes</a></h2>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fnode-attributes.5cbdad3b.png&#x26;w=3840&#x26;q=75\" alt=\"Node attributes tab showing one attribute rule applying drive:share capability to all users and devices.\"></p>\n<p><a href=\"https://tailscale.com/docs/reference/syntax/policy-file#nodeattrs\">Node attributes</a> are device attributes and settings that you can use do things like control feature availability and device behavior across your tailnet. For example, you can use an attribute to enable <a href=\"https://tailscale.com/docs/features/tailscale-funnel\">Tailscale Funnel</a> or configure specialized behaviors without modifying individual device configurations.</p>\n<p>Node attributes commonly enable features that extend device capabilities. Understanding these common patterns helps you implement similar configurations for your specific needs.</p>\n<p>The <code>funnel</code> attribute lets devices use <a href=\"https://tailscale.com/docs/features/tailscale-funnel\">Tailscale Funnel</a> for public access. The <code>mullvad</code> attribute grants access to <a href=\"https://tailscale.com/docs/features/exit-nodes/mullvad-exit-nodes\">Mullvad exit nodes</a> for enhanced privacy. The <code>drive:share</code> and <code>drive:access</code> attributes enable <a href=\"https://tailscale.com/docs/features/taildrive\">Taildrive</a> file sharing capabilities. The <code>disable-ipv4</code> attribute disables IPv4 addressing for IPv6-only deployments.</p>\n<p>Each attribute applies immediately to matching devices without requiring device reconfiguration or restart.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#add-a-node-attribute\">Add a node attribute</a></h3>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fnode-attribute-add.87801540.png&#x26;w=3840&#x26;q=75\" alt=\"Add node attribute form with fields for selecting targets and defining attributes or capabilities.\"></p>\n<p>To add a node attribute using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select <strong>Add node attribute</strong> from the <strong>Node attributes</strong> tab.</li>\n<li>Configure the basic settings:\n<ul>\n<li><strong>Targets</strong>: Select devices, tags, users, or groups.</li>\n<li>(Optional) Use the <strong>Note</strong> field to document the attribute's purpose.</li>\n<li><strong>Attributes</strong>: Select attributes to apply (for example, \"funnel\").</li>\n<li>(Optional) <strong>IP Pools</strong>: Enter CIDRs if the attribute requires IP assignments.</li>\n</ul>\n</li>\n<li>(Optional) Configure application capabilities:</li>\n<li><strong>App</strong>: Enter the domain identifier.</li>\n<li><strong>Capability</strong>: Enter capability configuration in JSON format.</li>\n<li>Select <strong>Add additional capability</strong> for multiple capabilities per app.</li>\n<li>Select <strong>Add another app</strong> for multiple applications.</li>\n<li>Review the JSON preview panel.</li>\n<li>Select <strong>Save node attribute</strong> to apply the configuration.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#edit-a-node-attribute\">Edit a node attribute</a></h3>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fnode-attributes-edit.72cbd386.png&#x26;w=3840&#x26;q=75\" alt=\"Edit node attribute form showing fields for modifying targets and attributes.\"></p>\n<p>To edit a node attribute using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>Node attributes</strong> tab.</li>\n<li>Select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the node attribute to edit, then select <strong>Edit</strong>.</li>\n<li>Update the targets, attributes, IP pools, or app capabilities.</li>\n<li>Select <strong>Save node attribute</strong> to apply the updated configuration.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#delete-a-node-attribute\">Delete a node attribute</a></h3>\n<p>To delete a node attribute using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>Node attributes</strong> tab.</li>\n<li>Select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the node attribute to delete.</li>\n<li>Select <strong>Delete</strong>.</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/reference/visual-editor#device-posture\">Device posture</a></h2>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fdevice-posture.efd56960.png&#x26;w=3840&#x26;q=75\" alt=\"Device posture tab displaying posture:recent_windows rule requiring node:os == windows and node:osVersion >= 11.\"></p>\n<p><a href=\"https://tailscale.com/docs/features/device-posture\">Device posture</a> rules define the requirements a device must meet for access control policies to prevent non-compliant devices from accessing sensitive resources. Posture rules can check for conditions like OS version, disk encryption status, and the presence of specific security software. You can create custom posture checks to enforce your organization's security policies.</p>\n<p>Posture checks run continuously, revoking access if devices fall out of compliance.</p>\n<p>You can reference posture rules in the <code>srcPosture</code> field of access rules to enforce device compliance. Devices must meet all specified posture requirements to establish connections. Update posture definitions as security requirements evolve.</p>\n<p>Posture enforcement happens at connection time and periodically during active connections. If a device falls out of compliance, existing connections end and new connections fail until the device meets requirements again.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#add-a-posture-rule\">Add a posture rule</a></h3>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fdevice-posture-add.744732a5.png&#x26;w=1080&#x26;q=75\" alt=\"Add device posture rule form with fields for rule name and device attribute conditions.\"></p>\n<p>To add a device posture rule using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select <strong>Add device posture</strong> from the <strong>Device posture</strong> tab.</li>\n<li>Configure the posture rule:</li>\n<li><strong>Name</strong>: Enter a name for the device posture rule.</li>\n<li>(Optional) Use the <strong>Note</strong> field to document the requirements.</li>\n<li>Configure posture assertions:</li>\n<li>Select <strong>Posture assertion</strong> to expand options.</li>\n<li>Choose from <strong>HOST INFO</strong> attributes (<code>node:os</code>, <code>node:osVersion</code>, <code>node:tsAutoUpdate</code>, <code>node:tsReleaseTrack</code>, <code>node:tsStateEncrypted</code>, <code>node:tsVersion</code>).</li>\n<li>Configure comparison operators and values.</li>\n<li>Select <strong>Save device posture</strong> to create the rule.</li>\n</ol>\n<p>For integration with enterprise device management systems, refer to the documentation for <a href=\"https://tailscale.com/docs/integrations/mdm/intune\">Intune</a>, <a href=\"https://tailscale.com/docs/integrations/jamf-pro\">Jamf Pro</a>, <a href=\"https://tailscale.com/docs/integrations/iru\">Iru</a> (formerly Kandji), <a href=\"https://tailscale.com/docs/integrations/kolide\">1Password XAM (Kolide)</a>, and <a href=\"https://tailscale.com/docs/integrations/sentinelone\">SentinelOne</a>.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#edit-a-device-posture-rule\">Edit a device posture rule</a></h3>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fdevice-posture-edit.2744b47b.png&#x26;w=3840&#x26;q=75\" alt=\"Edit device posture rule form showing fields for modifying posture requirements and conditions.\"></p>\n<p>To edit a device posture rule using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>Device posture</strong> tab.</li>\n<li>Select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the device posture rule to edit, then select <strong>Edit</strong>.</li>\n<li>Update the name, posture assertions, or note.</li>\n<li>Select <strong>Save device posture</strong> to apply the updated rule.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#delete-device-posture-rules\">Delete device posture rules</a></h3>\n<p>To delete a device posture rule using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>Device posture</strong> tab.</li>\n<li>Select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the device posture rule to delete.</li>\n<li>Select <strong>Delete</strong>.</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/reference/visual-editor#auto-approvers\">Auto approvers</a></h2>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fauto-approvers.f63dedcb.png&#x26;w=3840&#x26;q=75\" alt=\"Auto approvers tab with Routes section showing 100.100.106.0/24 auto-approved for tag:mytag, and Exit nodes section showing tag:example as an auto-approved exit node.\"></p>\n<p><a href=\"https://tailscale.com/docs/reference/syntax/policy-file#autoapprovers\">Auto approvers</a> are policies that let you automatically approve specific operations, such as advertising subnet routes or exit nodes, without manual intervention.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#routes\">Routes</a></h3>\n<p>Automatically approve <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet route</a> advertisements from users, groups, and tags. This removes manual approval for subnet routers. Route auto approval lets you scale without administrative bottlenecks.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#add-a-route-auto-approver\">Add a route auto approver</a></h3>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fauto-approvers-route-add.39c95d25.png&#x26;w=1080&#x26;q=75\" alt=\"Add route auto approver form with fields for route CIDR and approvers selection.\"></p>\n<p>To add a route auto approver using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select <strong>Add route</strong> from the <strong>Routes</strong> section of the <strong>Auto approvers</strong> tab.</li>\n<li>Configure the auto approver:</li>\n<li><strong>Route</strong>: Enter the route to auto approve (for example, <code>192.0.2.0/24</code>).</li>\n<li><strong>Route is auto approved for</strong>: Select users, groups, or tags.</li>\n<li>(Optional) Use the <strong>Note</strong> field to document the approval rationale.</li>\n<li>Select <strong>Save route auto approver</strong> to create the rule.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#edit-a-route-auto-approver\">Edit a route auto approver</a></h3>\n<p>To edit a subnet route auto approver using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>Auto approvers</strong> tab.</li>\n<li>In the <strong>Routes</strong> section, select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the subnet route approval to edit, then select <strong>Edit</strong>.</li>\n<li>Update the route fields.</li>\n<li>Select <strong>Save route auto approver</strong> to apply the updated configuration.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#delete-a-route-auto-approver\">Delete a route auto approver</a></h3>\n<p>To delete a subnet route auto approver using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>Auto approvers</strong> tab.</li>\n<li>In the <strong>Routes</strong> section, select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the subnet route approval to delete.</li>\n<li>Select <strong>Delete</strong>.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#exit-nodes\">Exit nodes</a></h3>\n<p>Automatically approve users, groups, and tags as <a href=\"https://tailscale.com/docs/features/exit-nodes\">exit nodes</a>. This lets designated devices route internet traffic without manual approval. Exit node auto approval supports use cases like regional exit nodes or dedicated privacy infrastructure.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#add-an-exit-node-auto-approver\">Add an exit node auto approver</a></h3>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fauto-approvers-exit-nodes-add.a4a0ebf8.png&#x26;w=1080&#x26;q=75\" alt=\"Add exit node auto approver form with field for selecting users, groups, or tags as exit node approvers.\"></p>\n<p>To add an exit node auto approver using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select <strong>Add exit node</strong> from the <strong>Exit nodes</strong> section of the <strong>Auto approvers</strong> tab.</li>\n<li>Configure the auto approver by selecting users, groups, or tags to be automatically approved as exit nodes.</li>\n<li>Select <strong>Save exit node</strong> to create the auto approval rule.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#edit-an-exit-node-auto-approver\">Edit an exit node auto approver</a></h3>\n<p>To edit an exit node auto approver using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>Auto approvers</strong> tab.</li>\n<li>In the <strong>Exit nodes</strong> section, select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the exit node to edit, then select <strong>Edit</strong>.</li>\n<li>Update the users, groups, or tags that are automatically approved as exit nodes.</li>\n<li>Select <strong>Save exit node</strong> to apply the updated configuration.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#delete-an-exit-node-auto-approver\">Delete an exit node auto approver</a></h3>\n<p>To delete an exit node auto approver using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>Auto approvers</strong> tab.</li>\n<li>In the <strong>Exit nodes</strong> section, select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the exit node to delete.</li>\n<li>Select <strong>Delete</strong>.</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/reference/visual-editor#tests\">Tests</a></h2>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ftests.dbc3484d.png&#x26;w=3840&#x26;q=75\" alt=\"Tests tab with General tests section showing one test for alice@example.com with node:os macos accessing tag:example:80 with tcp or udp protocol, and SSH tests section showing crocus.cat@example.com can access 100.121.20.49 as root user.\"></p>\n<p>For an overview of tests and how they work in the visual policy editor, refer to the <a href=\"https://tailscale.com/docs/features/visual-editor#tests\">tests section</a> in the visual policy editor documentation. This reference documents the UI controls and procedures for managing tests.</p>\n<p>The <strong>Tests</strong> tab contains sections for general access tests and SSH-specific tests. Tests act as regression protection, ensuring that policy modifications don't accidentally break existing access patterns.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#general-tests\">General tests</a></h3>\n<p>Create validation tests that access control changes must pass before saving. These tests ensure policy modifications don't accidentally revoke important permissions or expose critical systems. Well-designed tests catch configuration errors before they affect production access.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#add-a-general-test\">Add a general test</a></h3>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ftests-general-add.ab075441.png&#x26;w=3840&#x26;q=75\" alt=\"Add general test form with fields for source, posture attribute, accepted destinations, denied destinations, and protocol selection.\"></p>\n<p>To add a general test using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select <strong>Add test</strong> in the <strong>General tests</strong> section.</li>\n<li>Configure test parameters:\n<ul>\n<li><strong>Source</strong>: Specify the test source identity.</li>\n<li><strong>Source device posture attributes</strong>: Add device conditions if posture rules apply.</li>\n<li><strong>Accept</strong>: List destinations that should be accessible.</li>\n<li><strong>Deny</strong>: List destinations that should be blocked.</li>\n<li><strong>Protocol</strong>: Select the protocol to test.</li>\n<li>(Optional) Use the <strong>Note</strong> field to document the test's purpose.</li>\n</ul>\n</li>\n<li>Review the JSON preview and select <strong>Save test</strong>.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#edit-a-general-test\">Edit a general test</a></h3>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ftests-general-edit.0bccc674.png&#x26;w=3840&#x26;q=75\" alt=\"Edit general test form showing fields for modifying test conditions and assertions.\"></p>\n<p>To edit a general test using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>Tests</strong> tab.</li>\n<li>In the <strong>General tests</strong> section, select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the test to edit, then select <strong>Edit</strong>.</li>\n<li>Update the test parameters.</li>\n<li>Select <strong>Save test</strong> to apply the updated test.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#delete-a-general-test\">Delete a general test</a></h3>\n<p>To delete a general test using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>Tests</strong> tab.</li>\n<li>In the <strong>General tests</strong> section, select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the test.</li>\n<li>Select <strong>Delete</strong>.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#ssh-tests\">SSH tests</a></h3>\n<p><a href=\"https://tailscale.com/docs/reference/syntax/policy-file#sshtests\">SSH tests</a> let you write validation tests that Tailscale SSH policy changes must pass before you can save them. These tests verify SSH access rules work as intended. SSH tests validate both access permissions and authentication requirements. Tests run automatically when you save policy changes. Failed tests prevent the policy from saving and display error messages indicating which assertions failed.</p>\n<h4><a href=\"https://tailscale.com/docs/reference/visual-editor#add-a-ssh-test\">Add a SSH test</a></h4>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ftests-ssh-add.294645ec.png&#x26;w=3840&#x26;q=75\" alt=\"Add SSH test form with fields for source, destination, accepted users, checked users, and denied destinations.\"></p>\n<p>To add an SSH test using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select <strong>Add SSH test</strong> from the <strong>SSH tests</strong> section of the <strong>Tests</strong> tab.</li>\n<li>Configure the SSH test parameters:</li>\n<li><strong>Source</strong>: Specify the SSH connection source.</li>\n<li><strong>Destination</strong>: Define the SSH target.</li>\n<li><strong>Accept</strong>: Select users that should be allowed (options: autogroup:nonroot, root, Match local user with email).</li>\n<li><strong>Check</strong>: Select users requiring check mode.</li>\n<li><strong>Deny</strong>: Select users that should be denied.</li>\n<li>(Optional) Use the <strong>Note</strong> field to document the test scenario.</li>\n<li>Select <strong>Save SSH test</strong> to create the test.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#edit-a-ssh-test\">Edit a SSH test</a></h3>\n<p>To edit an SSH test using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>Tests</strong> tab.</li>\n<li>In the <strong>SSH tests</strong> section, select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the test to edit, then select <strong>Edit</strong>.</li>\n<li>Update the test parameters (Source, Destination, Accept, Check, Deny, and Note fields).</li>\n<li>Select <strong>Save SSH test</strong> to apply the updated test.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/reference/visual-editor#delete-a-ssh-test\">Delete a SSH test</a></h3>\n<p>To delete an SSH test using the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual editor</a>:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</li>\n<li>Select the <strong>Tests</strong> tab.</li>\n<li>In the <strong>SSH tests</strong> section, select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu of the test to delete.</li>\n<li>Select <strong>Delete</strong>.</li>\n</ol>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}