Groups
Define reusable lists of users.
"groups": {
"group:devs": ["dave@tailscale.com", "eve@tailscale.com"],
"group:it": ["frank@tailscale.com"]
}
ACLs (Standard)
Basic allow rules. Destination includes the port.
{
"action": "accept",
"src": ["group:devs"],
"dst": [
"tag:server:80",
"*:443"
]
}
Grants (Modern)
Separates Target (dst) from Protocol (ip). Supports posture.
{
"src": ["group:devs"],
"dst": ["tag:prod"],
"ip": ["tcp:443"],
"srcPosture": ["posture:secure"]
}
Tag Owners
Who can assign this tag to a device?
"tagOwners": {
"tag:web": ["group:devs"],
"tag:prod": ["group:admins"]
}
Device Posture
"postures": {
"posture:name": [
"node:os == 'macos'",
"node:osVersion >= '13.0'"
]
}
Tailscale SSH
Control SSH access and users.
"ssh": [
{
"action": "check",
"src": ["group:dev"],
"dst": ["tag:server"],
"users": ["root", "ubuntu"]
}
]
Tests
Verify specific access is allowed or denied.
"tests": [
{
"src": "alice@tailscale.com",
"accept": ["tag:web:80"],
"deny": ["tag:db:22"]
}
]
Auto Approvers
Automatically approve advertised routes.
"autoApprovers": {
"routes": {
"10.0.0.0/24": ["tag:router"]
}
}
App Capabilities
Grant application-specific powers (like K8s access).
{
"src": ["group:sre"],
"dst": ["tag:cluster"],
"app": {
"tailscale.com/cap/kubernetes": [{
"impersonate": { "groups": ["system:masters"] }
}]
}
}