Oh yes, Tailscale/Zerotier actually has a centralized control plane such that access can be revoked centrally and users be managed centrally too. and Tailscale has very nice blog posts explaining their infrastructure [1]
Thanks! I've read (again) the article, but it doesn't really answer my question. Here's a concrete example:
An organization uses Tailscale. There's 'server102' that is connected to the Tailscale network that all users of the `devops` team have access to. A new employee, Anne, joins the company. Sysadmins set up her SSO account, as well as makes her part of `devops` on Tailscale.
Anne gets her company computer, sets it up, connects to Tailscale, fires up her shell, types in `ssh anne@server102`, presses Enter.
[1] https://tailscale.com/blog/how-tailscale-works/