AND and OR in ACLs

Hello all,

Does anyone know if there is a way to specific ANDs in the ACLs. Right now it seems only ORs are possible.

Use case:

I want to allow certain users form certain machines to access a subnet. When I add ACLs for both a tag for the machines and a group for the users (either in the same rule or as two separate rules) it seems to be OR’d.

Any help would be greatly appreciated!

For this particular case: Tagged nodes don’t have a User, they are owned by the Tag.
The user who happened to initially authorize the machine is not kept.

So there isn’t a way to write an ACL that requires both that the device have a Tag and also restricts it to a User: there isn’t a User.

Understood. In our case, users may connect, say, their mobile phone to the tailnet in order to access their workstation remotely, but we do not want users to be able to access our VPC subnet directly from phones, only authorized workstations.

You can specify routed IP blocks in ACLs. So remove the allow * and replace it with something like:
"allow": ["10.0.0.0/16:22"], to allow SSH access to everything in that block, routed through whatever subnet router is available to get there.

There’s also a special tag called autogroup:internet that allows access to public IPs routed through an exit node.

Yes, this is something I have already done. But it appears I can only set this for a tag OR a user. I want to say “the request is coming from this tag AND ALSO this logged in user”