Skip to main content

Tags

Tags are a flexible mechanism for assigning rules and settings to hosts.

Tag Creation

Important: Tags must be created before they can be assigned. You cannot *reference a tag that doesn't already exist.

To create tags:

  1. Navigate to the All Tags section in /settings.
  2. Click "Create Tag"
  3. Provide a unique name - max 42 chars
  4. Click "Create" to save the tag

Once created the tag will appear in the Tagged Settings pane above and can now be assigned to rules, settings, and hosts.

An unlimited number of tags can be created, but only 25 can be assigned to a host at a time.

Tags can also be created using the CreateTag RPC.

Tag Assignment Methods

Tags can be applied to hosts via two methods:

1. Manual Assignment (Per-Host)

Tags can be manually assigned directly to individual hosts through the Workshop interface or UpdateHost RPC. This provides granular control over which tags are applied to specific machines.

warning

If a host has tags manually assigned, that host cannot participate in approval workflows.

2. Automatic Assignment (Via Groups)

Tags can be automatically applied to hosts through group membership. This provides scalable tag management across multiple hosts.

In order to use tags applied by groups, they must be added to the Tagged Settings section. This defines the order in which the tags will apply.

  1. Navigate to the Tagged Settings section in /settings.
  2. Click "Add Settings"
  3. Choose a tag
  4. Click Add

There is currently a 25 tag limit. If you find you need more tags, contact support with your use case.

Tags can also be ordered with the UpdateTagOrder RPC.

Group Attachment Methods

There are two methods to attach a host to a group (which contains tags):

Method 1: Directory Sync

When directory sync is enabled:

  • Any group the host's primary user is a member of will gain access to that group's assigned tags
  • This provides seamless integration with existing directory structures.
  • Tag assignment happens automatically based on user group membership

Method 2: Primary User Groups (Client-Defined)

Starting with version 2025.6 of Santa:

  • You can define primary user groups for a host directly on the client
  • This method provides more flexibility for environments that aren't using directory sync
  • Allows manual specification of which groups a host should inherit tags from
warning

If a host has tags manually assigned via primary user groups, that host cannot participate in approval workflows. This is a temporary restriction, future versions of Workshop will enable approval workflows for client defined groups.

Tag Application Order

For both group assignment methods, the total set of tags are applied to the host using the defined tag order. This ensures consistent and predictable tag application across your environment.