Can we combine tags in ACLs?

When defining ACLs, are all tags distinct, or can we combine them?

e.g. our services are defined as project, role, env. So we’d have a service that is project=topsecret|launched, role=app|db, env=prod|staging.

I want to give someone access to the launched project’s staging app server. Can I tag something with project:launched, role:app, env:staging and give someone access to the specific combo of those tags? Or would I have to create a launched-app-staging tag and give them access to just that one?

I’m fairly new with Tailscale, but you can create rules in your ACL file for each individual tag, IE:

tag:project can access x
tag:role can access y
tag:env can access z

Then if you have a device that is tagged as project AND as role, that device can access x AND y. If it has all 3 tags, then it can access x, y, and z.

As I said, I am fairly new, but I believe this is correct.

Hopefully I understood your question!

Yeah, I heard back from support, and they said that ACLs are based on discrete tags, it has no sort of combinatorial / boolean tagging. So to restrict access to a particular project/role/environment conbo, I would need a tag like launched-app-staging.

That’s weird, because I have the following in my ACL that works fine:

{
			"action": "accept",
			"src":    ["tag:test", "tag:swittwer"],
			"dst": [
				"experience-center:*",
				"HWAD01:53,88,135,389,445,49152-65535",
				"HWAD2:53,88,135,389,445,49152-65535",
				"HWSTORE01:445",
				"HWLICENSE01:80,443,3389",
				"HWWIKIINT:80,443",
				"office-printer:*",
				"unsecure-network:*",
			],
		},

A source that is tagged as swittwer, or as test can reach all of the destinations listed. Maybe this isn’t what you are looking for though. You should be able to replace the destinations with multiple tags if you decide.

Also, I have some devices that have multiple tags, and they can reach the combination of all of the allowable devices for both tags.

Right, in your example I would want to restrict it to sources that are tagged as tag:test AND tag:switter. I want to require both - a source having just one of the tags should not have access. But, that’s not how Tailscale ACL works.

ah. that was what I was missing. Makes sense now.