Document necessary grants

It would be great if there could be more documentation how to configure Tailscale access controls for tsidp.

Let's say we have tsidp with tag `tag:idp` and a server with tag `tag:foobar`. What are the minimal access controls necessary for admins to be able to configure tsidp and for users of the server to use it to log into the server?

These grants are what I currently have.

```jsonc
// Admins can configure IDP
{
  "src": ["autogroup:admin"],
  "dst": ["tag:idp"],
  "ip":  ["443"],
  "app": {
    "tailscale.com/cap/tsidp": [
      {
        "allow_admin_ui": true,
      },
    ],
  },
},
// Admins and shared users can use IDP
{
  "src": ["autogroup:admin", "autogroup:shared"],
  "dst": ["tag:idp"],
  "ip":  ["443"],
  "app": {
    "tailscale.com/cap/tsidp": [
      {
        "allow_dcr": true,
        "users":     ["*"],
        "resources": ["*"],
      },
    ],
  },
},
// Server can access port 443 of IDP
{
	"src": ["tag:foobar"],
	"dst": ["tag:idp"],
	"ip":  ["443"],
},
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Document necessary grants #112

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Document necessary grants #112

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions