Minimum permission to see details of the connected TailNet

Dear all,

I carefully read the documentation about User Roles (User roles · Tailscale). Even so, I couldn’t identify which one would be the most suitable to install the Tailscale client, with as little permission as possible, so that you can see the minimum of information from the TailNet that computer was connected to.

The typical scenario, I imagine, would be like this:

  • IT professional going to the user’s machine.

  • Downloading the TS client.

  • Installing the TS client.

  • Logging in to TS client with a particular user. This user must have restricted rights. The goal is that he can only do a JOIN to the company’s TailNet. It may even be an “attempt” to JOIN, but the Admin web panel can later approve it.

  • Ends the participation of the IT professional.

  • After this task, the end user of the computer, even having access to the TS icon in the systray, will not be able to see which other machines are connected to the same TailNet, even if it has dozens of other devices in the same TailNet.

  • I.e., he can see, at most, the online/offline status, TailNet, and local IP address of its node.

Which User Role fits the above needs?
Is User Role alone sufficient to meet the above requirements, or will it be necessary to use ACLs?

I appreciate any help you can provide.

Best regards,