In Tailscale’s original security policy ACLs, each node’s permissions were defined by the user who had logged into the node. This is useful for access control of end user devices, but creates a problem for servers. Since every node, including a server, needs to be authenticated as some account (usually an IT or devops administrator), the server would inherit that user’s permissions, which is usually not what you want.
ACL tagging is the solution to this problem.
Read more.