An Overview of Tulip’s Security Options
  • 13 Jun 2023
  • 6 Minutes to read
  • Contributors

An Overview of Tulip’s Security Options


Article summary

Use this guide to understand the different security options that are available for each mode of Tulip deployment.

Most Tulip customers use frontline operations apps to capture data from their production lines. This means that many devices running Tulip software need to communicate with your company’s network to store and potentially retrieve data.

This opens up many new security considerations since both operators and manufacturing engineers will be using Tulip. These security considerations occur across multiple levels of the Tulip platform and your network:

  • Server-level: Where are the servers that are running Tulip and storing your data?
  • Network-level: How can individual tablets, laptops, and machines communicate with servers running Tulip?
  • Account-level: Who can access and modify data in a Tulip account?
  • Edge Device-level: How do your Edge Device share data with the Tulip Platform?
  • Tulip app-level: Who can access and modify each Tulip app?
  • Device-level: Who is allowed to access Tulip on a laptop or tablet that is running Tulip software?

Here is a quick guide to the ways that Tulip addresses each of the above categories.

These strategies will cover both security and compliance requirements.

Server Level

There are four ways to deploy Tulip software:

  1. Amazon Web Services (AWS) cloud
  2. Amazon Web Services GovCloud
  3. Azure Web Services cloud

The default method for deploying Tulip is a cloud deployment either in Amazon Web Services or Azure. In a cloud-based deployment, the technical support team at Tulip will be able to monitor your account and alert you when Tulip fails to connect to your network due to an internal IT change or another reason.

For GxP customers who want a private cloud hosting with their own dedicated tenancy, we do offer this option. Although this provides the same security measures as a normal cloud environment, it provides additional compliance benefits.
In the past, Tulip offered options for completely private cloud and on-prem deployments. These options were discontinued and the end of life completed in April 2022.

Network Level

In order to allow devices running Tulip software to communicate with a server that is hosting the Tulip platform, your network must meet certain requirements. Please review this IT requirements guide to see if your network meets these standards.

In an on-premises deployment, your IT team will be responsible for the security of your network. In a cloud-based deployment, you will be covered by the security policies of Amazon Web Services.

Account Level

Tulip has 4 levels of user roles on "standard" and "professional" plans, and 8 levels of roles on enterprise plans. Read more about managing user roles here

Access can be grouped into three distinct categories:

  1. Users, which can access both Tulip and the Tulip Player
  2. Viewers, which can only view assets in Tulip
  3. Operators, which can only access the Tulip Player

You must add these users, operators and viewers individually to Tulip in Settings or integrate with Active Directory to create restrictions in Tulip based on user permissions in Active Directory.

Let’s imagine that you want to deploy Tulip across multiple factories and departments, and you want to restrict user permissions based on each factory.

Since Tulip’s current permission system allows any user to build and edit apps, you can use multiple Tulip accounts to control permissions. For example, if the name of your company is “Acme” and you have factories in New York and Boston, you could use two accounts:

  1. acme-newyork.tulip.co
  2. acme-boston.tulip.co

Edge Devices Level

Your company may be considering an Edge Device to either monitor machines on your shop floor or integrate devices at operator workstations.

Tulip has a few requirements to allow your Edge Device to connect to Tulip servers. Please review the “Edge Devices” section of our IT requirements guide for more details.

Tulip App Level

Although all administrators can create and update apps, an app creator can restrict the editing privileges around their specific app.

The Permissions tab on the App Summary View on each app allows the creator to decide the privileges of all other administrators for that particular app. And, they can give specific permissions to individual administrators.

Additionally, Tulip offers an Approval feature at the account level. This prevents new Versions of apps from being released until a certain set of pre-defined administrators indicate their approval. This ensures that apps will not be used on the shop floor until a member of the quality or compliance department approves.

Device Level

You may want to control which apps are available on each laptop or tablet on your shop floor.

Tulip’s Shop Floor tab allows you to create virtual Stations that allow you to restrict the ways that specific laptops and tablets can use Tulip. It also allows you to monitor which apps are being used by operators in real time.

Additionally, Tulip’s LDAP Control Mode and SAML integration allows your Active Directory users and SSO integrations to instantly begin using Tulip by entering their Active Directory credentials.

Regulations/Traceability/Audit

Although all the features listed above will help you comply with regulatory requirements, you will also need to provide data to show the history of your operators’ usage of Tulip.

Tulip makes data readily available in order to comply with GxP standards. The data is created by all of the features listed in the sections above, and then tracked in one centralized location. It is accessible by any administrator of your Tulip account.

For more details, please use the chat tool in the bottom right of this page to reach out to a Tulip representative.


Did you find what you were looking for?

You can also head to community.tulip.co to post your question or see if others have faced a similar question!


Was this article helpful?