---
title: "Customize user roles"
slug: "customize-user-roles"
updated: 2025-03-10T17:05:20Z
published: 2025-03-10T17:05:20Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.tulip.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Customize user roles

*With the custom user roles feature, you can mix and match from 75+ permissions to create the perfect User Roles for your enterprise needs.*

          Who can use this feature

          

Users on Enterprise plans.

Tulip provides [13 existing user roles that you can assign](/r230/docs/adding-users-and-managing-user-roles). A custom user role combines permissions from various parts of the platform to more granularly assign the right level of access. Creating your own roles enables robust access control policies with simplicity and flexibility.

## How it Works

Only account owners can create/edit custom user roles.

You can customize user roles with specific permissions in the following areas:

- Analytics
- Apps
- Automations
- Connectors
- Machines
- Player
- Shop Floor
- Tables
- Vision

![Custom%20User%20Role%20Example](https://cdn.document360.io/7c6ff534-cad3-4fc8-9583-912c4016362f/Images/Documentation/Custom%20User%20Role%20Example.png)

### Workspaces Consideration

Any custom roles you create are available globally across any [Workspace](/r230/docs/what-are-workspaces-1). Any roles assigned, however, apply only to that workspace. **You must assign roles to users for each workspace**.

You might have users with different permissions in separate workspaces. With global workspace assets, such as Edge Devices, users have their highest permission of access. This means that if a user has limited access in one workspace and full access in another, they will have full access to an asset used in both workspaces.

## How to Use Custom User Roles

To view any custom user roles, navigate to the **Users** page in the **Account Settings** page of your instance. Click **Roles**.

![Navigate%20to%20Custom%20User%20Roles%20page](https://cdn.document360.io/7c6ff534-cad3-4fc8-9583-912c4016362f/Images/Documentation/Navigate%20to%20Custom%20User%20Roles%20page.gif)

You can view and search through roles using the search bar and filter buttons at the top of the list.

![Custom%20User%20Roles%20Search%20and%20Filter](https://cdn.document360.io/7c6ff534-cad3-4fc8-9583-912c4016362f/Images/Documentation/Custom%20User%20Roles%20Search%20and%20Filter.png)

**Tulip** roles are the available roles that already exist in your Instance. **Custom** roles are the custom roles you create.

### Create

1. Click **+ Create Role**.
2. Choose to either **duplicate** and modify an existing role or **create** a new role from scratch.
3. Fill in the **Role Name** and **Description** fields.  

The role name should be unique and identifiable.

![Custom%20User%20Role%20-%20Name%20and%20Description](https://cdn.document360.io/7c6ff534-cad3-4fc8-9583-912c4016362f/Images/Documentation/Custom%20User%20Role%20-%20Name%20and%20Description.png)

1. Select the level of access for each area of Tulip using the drop down categories.

![Select%20Custom%20User%20Role%20Access](https://cdn.document360.io/7c6ff534-cad3-4fc8-9583-912c4016362f/Images/Documentation/Select%20Custom%20User%20Role%20Access.gif)

1. Click **Save**.

### Assign

1. Navigate to the **Users** page.
2. Select a user from the list.
3. Within the workspace configuration for the user, select the user role you’d like to assign.

![Assign%20Customer%20User%20Role](https://cdn.document360.io/7c6ff534-cad3-4fc8-9583-912c4016362f/Images/Documentation/Assign%20Customer%20User%20Role.gif)

### Edit

When you edit a custom user role, it will instantly change permissions of all users with that user role.

1. Navigate to the **Roles** page.
2. Click on the role you want to edit.
3. Click the **pencil icon** in the top right.

![Edit%20Custom%20User%20Role](https://cdn.document360.io/7c6ff534-cad3-4fc8-9583-912c4016362f/Images/Documentation/Edit%20Custom%20User%20Role.png)

1. Make any changes to fields or permissions.
2. Click **Save**.

### Archive

1. Navigate to the **Roles** page.
2. Click on the role you want to edit.
3. Click the **three-dot-menu** in the top right. Select **Archive**.

![Archive Custom User Role](https://cdn.document360.io/7c6ff534-cad3-4fc8-9583-912c4016362f/Images/Documentation/Archive%20Custom%20User%20Role.png)

1. On the confirmation modal, click **Archive**.

To view any archived roles, navigate to the **Roles** page and click the **three-dot-menu** at the top right. Select **View archived roles**.add

![View Archived User Roles](https://cdn.document360.io/7c6ff534-cad3-4fc8-9583-912c4016362f/Images/Documentation/View%20Archived%20User%20Roles.png)

To restore an archived role, hover over a role and then click the **restore** button.

## Custom Role Scenarios

### I want to control costs and avoid driving up our bill.

When you pay for certain assets created in your instance, you want to limit permissions to only necessary users.

Here’s a list of features that affect pricing based on creation or usage:

- Stations
- Automations
- Machine monitoring
- Vision

Create roles with limited or view only access to these features to ensure that your costs don’t spike.

### I want to secure production data.

If you’re particularly concerned with data security, users who can create, edit, and delete Table Records pose a significant risk. Create a custom user role that restricts table access to view only or limited for users who don’t need to write to tables. This ensures that only the right people have access to precious data and limits unwarranted altering.

## Compatibility with External IDPs

Custom User Roles can be assigned via SAML. They are not compatible with LDAP.

## Further Reading

- [Administration and Governance](/r230/docs/administration-and-governance)
- [How to Deactivate/Delete Users and Operators](/r230/docs/how-to-deactivatedelete-users-and-operators)

**Analytic**

**Analytics** are live updating graphs and metrics calculated based on app data, Table data, and machine data. Analytics can be embedded and dynamically filtered within an application.

![](https://cdn.document360.io/7c6ff534-cad3-4fc8-9583-912c4016362f/Images/Documentation/image-1662410531382.png)

**Automation**

**Workflow** that performs tasks in the background, without an interface. Automations run logic every time an **event** occurs.

![](https://cdn.document360.io/7c6ff534-cad3-4fc8-9583-912c4016362f/Images/Glossary/Automations1.gif)

**Connectors**

**Connectors** enable real-time connectivity between your Tulip solution and a transactional system (e.g. an ERP). The output of a Connector Function can be used in Tulip Apps, Automations, and Functions.

- **HTTP Connectors** utilize HTTP API endpoints.
- **SQL Connectors** can enable connectivity with certain SQL databases.
- **MQTT Connectors** can connect to MQTT brokers for machine monitoring.

![](https://cdn.document360.io/7c6ff534-cad3-4fc8-9583-912c4016362f/Images/Documentation/connector.gif)

**Machine**

A **Machine**is a digital representation of a physical datasource. Machines have **Attributes**that are updated through an OPC-UA Connector or the Tulip API.

**Tulip Player**

**Tulip Player** is the Windows/Mac executable program where users can run Tulip apps. Tulip player allows you to create a more seamless user experience by removing the need for a web browser, and allows increased IT controls.

**Shop Floor**

The area of the platform responsible for moving applications into production. Under the shop floor, you can manage **Stations**, **Edge Devices,**and the app publication details such as which **Version** is accessible to users, which **Devices**are connected to the app, and which **Interface (display device)******the app is run on.

**Tulip Tables**

**Tulip Tables** are a global location to store your production data. **Tables** are made up of **Records** (rows). A single can be accessed from multiple apps or stations at the same time. ![](https://cdn.document360.io/7c6ff534-cad3-4fc8-9583-912c4016362f/Images/Documentation/Tulip%20Tables%20Overview%20-%20Feature%20Overview(1).gif)

**Tulip Vision**

**Vision**is a simple no-code tool to use cameras for visual inspection, process adherence, equipment, personnel, and material tracking on the shop floor.

**Workspace**

**Workspaces**are a model within Tulip to separate Tulip assets to match the places where work is being done. A workspace should represent a single facility, line, or department. With workspaces, users across facilities can easily collaborate, share their solutions, and improve their global operations.

**Edge Device**

**Edge Devices** are any hardware intended to connect physical things to the cloud. This can include entirely mechanical devices, older machines without network functionality, PLCs, and more.

Tulip sells the **Edge IO** and **Edge MC** that interface directly into **Triggers** in a breeze, but Tulip can also support other Edge Devices.

**Tulip Instance**

A Tulip customer account. Your instance can be found at https://[your-instance].tulip.co

When *your instance*is referenced, we are just talking about your Tulip account on an organization-level, not user-level.

**Table Record**

A **Table Record** is a reference to a row in a **Tulip Table**. Table Records can be created either from the Table UI or from with an App Trigger.

To edit a record it must be loaded into a **Table Record Placeholder.**