Loading controls...
Control: Assign Admin roles
Description
Assign user roles for managing Tailscale as appropriate, based on job function and for separation of duties. Tailscale provides multiple user roles that restrict who can modify your tailnet's configurations.
Usage
Run the control in your terminal:
steampipe check tailscale_compliance.control.security_best_practices_acl_ssh_admin_roles_assignedSnapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share tailscale_compliance.control.security_best_practices_acl_ssh_admin_roles_assignedPlugins & Tables
SQL
with tailnet_all_roles as ( select tailnet_name, jsonb_array_elements(users) as all_roles from tailscale_acl_ssh group by tailnet_name, users),aggregate_roles as ( select tailnet_name, jsonb_agg(all_roles) as role_agg from tailnet_all_roles group by tailnet_name)select t.tailnet_name as resource, case when role_agg ?| array [ 'group:admin' ] and role_agg ?| array [ 'group:itadmin' ] and role_agg ?| array [ 'group:networkadmin' ] and role_agg ?| array [ 'group:auditor' ] then 'ok' else 'alarm' end as status, case when role_agg ?| array [ 'group:admin' ] and role_agg ?| array [ 'group:itadmin' ] and role_agg ?| array [ 'group:networkadmin' ] and role_agg ?| array [ 'group:auditor' ] then t.tailnet_name || ' has Admin, Network Admin, IT Admin, and Auditor roles assigned.' else t.tailnet_name || ' does not have ' || concat_ws( ', ', case when not (role_agg ?| array [ 'group:admin' ]) :: boolean then 'Admin' end, case when not (role_agg ?| array [ 'group:itadmin' ]) :: boolean then 'IT Admin' end, case when not (role_agg ?| array [ 'group:networkadmin' ]) :: boolean then 'Network Admin' end, case when not (role_agg ?| array [ 'group:auditor' ]) :: boolean then 'Auditor' end ) || ' role(s) assigned.' end as reason, t.tailnet_namefrom tailscale_tailnet as t left join aggregate_roles as r on t.tailnet_name = r.tailnet_name;