Access Control

Baseguard uses a tag-based access control system to define what traffic is allowed between nodes in your network. Combined with tags, ACLs enable fine-grained zero-trust security.

Overview

Access control in Baseguard works by:

1. Tags — Labels assigned to nodes (e.g., production, database)
2. Network Rules — Rules defining allowed traffic between tagged groups

Key Concepts

Default Allow

New organizations start with a default "allow all" rule for immediate connectivity. Traffic is denied unless a matching allow rule exists — rule order does not matter, if any rule matches the traffic, it is permitted. Remove the default "allow all" rule once you've added your own to enforce a zero-trust model. See Network Rules for details.

Tag-Based Rules

Rules match traffic by tags, not IP addresses:

Source: [admin]
Destination: [database]
Protocol: TCP
Ports: 5432

→ Nodes tagged "admin" can reach nodes tagged "database" on port 5432

Getting Started

Quick Example

Scenario

You have:

• Admin laptops
• Web servers
• Database servers

Tags

admin-laptop → [admin]
web-server-1 → [web]
web-server-2 → [web]
db-server → [database]

ACL Rules

# Admins can SSH to everything
[admin] → [] : TCP/22

# Web servers can reach databases
[web] → [database] : TCP/5432

# Web servers can reach each other
[web] → [web] : TCP/8080

Result

• Admin laptops can SSH to any server
• Web servers can query databases
• Web servers can communicate with each other
• Database servers cannot initiate connections to web servers

Best Practices

1. Start restrictive: Begin with minimal access, add rules as needed
2. Use meaningful tags: web-frontend over server-1
3. Document rules: Add descriptions explaining the purpose
4. Regular review: Audit rules periodically for unused or overly broad permissions

See Also

• Tags — Creating and managing tags
• Network Rules — ACL rule configuration
• API Reference — Manage ACLs and tags programmatically
• Zero Trust — Security principles