Questions about ACLs

Tailscale user:
Hi, I started a Tailscale trial yesterday, and so far it’s going really well, but I have a couple of questions about ACLs.

First, just to double-check, on the pricing page it says that the Connectivity plan has “Basic access controls”, is that just referring to the “Allow incoming connections” boolean flag? So any usage of ACLs requires the Security plan?

Second, I’m a little bit unclear on how exactly the machine–user relationship works and how it interacts with ACLs. I have some AWS servers that I’ve added to the network, which associated them with my user. If my user has blanket permissions, and another user has permission to SSH to one of those servers, do they then acquire additional permissions by having access to that server? Should I be setting up a generic machine user with no permissions? How does this interact, if at all, with subnet routes?

(The documentation is really very good, my lack of clarity probably reflects more on being outside my expertise than anything else.)

Thanks, -N

Tailscale support: Yes, “Basic access controls” refers to just that “Allow incoming connections” boolean.

For services, you’ll want to run them with an “ACL tag” so they take the identity of the tag rather than the identity of the person who launched it. See:

It’s still in beta because we haven’t fleshed it all out, but the basics documented there work and are stable.