Group based named SSH access

I’m looking into creating an automated flow for temporary access to our production environment. Because we are Okta integrated with Tailscale, I was hoping to create a workflow that is a Jira initiated Okta workflows to add users to Okta groups that have access to Tailscale SSH via ACLs.

From the documentation that I’m seeing, I don’t know if this is possible.

I’ve tested using “src”:[group:groupname] and “users”:[“listofusers”] but unfortunately it allows any user in this group to access any named account in the list of users. Something that I cannot have.