Linux Server Security is the current field-guide cluster.Linux • Security • Self-hosting • Practical tools
Secure Remote Access

Tailscale ACLs vs Device Tags: A Least-Privilege Guide

Tailscale ACLs and grants define access; device tags help identify machines and services in that policy. A tag is not a security decision by itself: least privilege still depends on narrow destinations, ports, owners, and reviewable rules.

What do ACLs control?

Traditional ACL entries describe which sources can reach which destinations and ports. Tailscale documents ACLs as deny-by-default when an acls section exists; an absent section has different default behavior, so policy shape matters.

What are tags for?

Tags represent device roles such as tag:web or tag:backup. Tag ownership controls who may apply a tag. This lets policy target a service role instead of a person’s laptop, but a broadly assignable tag can become a privilege-escalation path.

Should a small team use grants?

Use grants when you need Tailscale’s newer unified policy model or application-layer permissions. Do not mix syntax casually: Tailscale notes that converting an ACL to a grant can change the permission outcome when selectors and ports are combined.

A sensible review asks: who can assign this tag, which sources can reach it, which ports are open, and what happens when the device is retired? Compare Tailscale services for small teams and Tailscale SSH vs keys.

Sources