---
title: "Tulip security options"
slug: "tulip-security-options"
updated: 2025-09-08T15:45:33Z
published: 2025-09-08T15:45:33Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.tulip.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Tulip security options

*Use this guide to understand the different security options that are available for each mode of Tulip deployment.*

Most Tulip customers use frontline operations apps to capture data from their production lines. This means that many devices running Tulip software need to communicate with your company’s network to store and potentially retrieve data.

This opens up many new security considerations since both operators and manufacturing engineers will be using Tulip. These security considerations occur across multiple levels of the Tulip platform and your network:

- **Server-level:** Where are the servers that are running Tulip and storing your data?
- **Network-level:** How can individual tablets, laptops, and machines communicate with servers running Tulip?
- **Account-level:** Who can access and modify data in a Tulip account?
- **Edge Device-level:** How do your Edge Device share data with the Tulip Platform?
- **Tulip app-level:** Who can access and modify each Tulip app?
- **Device-level:** Who is allowed to access Tulip on a laptop or tablet that is running Tulip software?

Here is a quick guide to the ways that Tulip addresses each of the above categories.

These strategies will cover both security and compliance requirements.

## Server Level

There are four ways to deploy Tulip software:

1. Amazon Web Services (AWS) cloud
2. Amazon Web Services GovCloud
3. Azure Web Services cloud

The [default method for deploying Tulip is a cloud deployment](https://support.tulip.co/docs/tulip-it-security-guide) either in Amazon Web Services or Azure. In a cloud-based deployment, the technical support team at Tulip will be able to monitor your account and alert you when Tulip fails to connect to your network due to an internal IT change or another reason.

In the past, Tulip offered options for completely private cloud and on-prem deployments. These options were discontinued and the end of life completed in April 2022.

## Network Level

In order to allow devices running Tulip software to communicate with a server that is hosting the Tulip platform, your network must meet certain requirements. Please review this [IT requirements guide](https://support.tulip.co/docs/networking-requirements-for-a-tulip-cloud-deployment) to see if your network meets these standards.

In an on-premises deployment, your IT team will be responsible for the security of your network. In a cloud-based deployment, you will be covered by the [security policies of Amazon Web Services](https://aws.amazon.com/security/).

## Account Level

Tulip has 4 levels of user roles on "standard" and "professional" plans, and 8 levels of roles on enterprise plans. [Read more about managing user roles here](https://support.tulip.co/docs/adding-users-and-managing-user-roles)

Access can be grouped into three distinct categories:

1. **Users**, which can access both Tulip and the Tulip Player
2. **Viewers**, which can only view assets in Tulip
3. **Operators**, which can only access the Tulip Player

You must add these users, operators and viewers individually to Tulip in [Settings](https://support.tulip.co/docs/adding-users-and-managing-user-roles) or [integrate with Active Directory](https://support.tulip.co/docs/integrating-ldap-with-tulip) to create restrictions in Tulip based on user permissions in Active Directory.

Let’s imagine that you want to deploy Tulip across multiple factories and departments, and you want to restrict user permissions based on each factory.

Since Tulip’s current permission system allows any user to build and edit apps, you can use multiple Tulip accounts to control permissions. For example, if the name of your company is “Acme” and you have factories in New York and Boston, you could use two accounts:

1. acme-newyork.tulip.co
2. acme-boston.tulip.co

## Edge Devices Level

Your company may be considering an Edge Device to either monitor machines on your shop floor or integrate devices at operator workstations.

Tulip has a few requirements to allow your Edge Device to connect to Tulip servers. Please review the “[Edge Devices](https://support.tulip.co/docs/networking-requirements-for-a-tulip-cloud-deployment)” section of our IT requirements guide for more details.

## Tulip App Level

Although all administrators can create and update apps, an app creator can restrict the editing privileges around their specific app.

The [Permissions tab](https://support.tulip.co/docs/quickstart-guide) on the App Summary View on each app allows the creator to decide the privileges of all other administrators for that particular app. And, they can give specific permissions to individual administrators.

Additionally, Tulip offers an [Approval feature](https://support.tulip.co/docs/how-to-set-up-approvals-for-your-apps) at the account level. This prevents new Versions of apps from being released until a certain set of pre-defined administrators indicate their approval. This ensures that apps will not be used on the shop floor until a member of the quality or compliance department approves.

## Device Level

You may want to control which apps are available on each laptop or tablet on your shop floor.

Tulip’s **Shop Floor** tab allows you to create virtual **Stations** that allow you to restrict the ways that specific laptops and tablets can use Tulip. It also allows you to monitor which apps are being used by operators in real time.

Additionally, Tulip’s [LDAP Control Mode](https://support.tulip.co/docs/integrating-ldap-with-tulip) and [SAML integration](https://support.tulip.co/docs/authorization-and-access-control-using-saml) allows your Active Directory users and SSO integrations to instantly begin using Tulip by entering their Active Directory credentials.

## Regulations/Traceability/Audit

Although all the features listed above will help you comply with regulatory requirements, you will also need to provide data to show the history of your operators’ usage of Tulip.

Tulip makes data readily available in order to comply with GxP standards. The data is created by all of the features listed in the sections above, and then tracked in one centralized location. It is accessible by any administrator of your Tulip account.

For more details, please use the chat tool in the bottom right of this page to reach out to a Tulip representative.

---

Did you find what you were looking for?

You can also head to [community.tulip.co](https://community.tulip.co) to post your question or see if others have faced a similar question!

**Edge Device**

**Edge Devices** are any hardware intended to connect physical things to the cloud. This can include entirely mechanical devices, older machines without network functionality, PLCs, and more.

Tulip sells the **Edge IO** and **Edge MC** that interface directly into **Triggers** in a breeze, but Tulip can also support other Edge Devices.

**Tulip Player**

**Tulip Player** is the Windows/Mac executable program where users can run Tulip apps. Tulip player allows you to create a more seamless user experience by removing the need for a web browser and allows increased IT controls.

**Permissions**

Settings for controlling which users have access to specific applications. Use permissions to ensure that only approved users are able to access published applications in production settings.

**Approval**

A mechanism for ensuring that applications are reviewed and approved before publication. *Approvals types*can be configured under the settings menu. Specific approvals may be applied to an application on the application homescreen.

**PublishedVersion**

The **Published****Version**of a Tulip app is a complete version of your Application. When an app is ready to be run in production, its logic can be *frozen*by Publishing that app. One application can have multiple published versions. If a **Station**is assigned to run the Published version of an application, it will only see changes when they are published.

**Shop Floor**

The area of the platform responsible for moving applications into production. Under the shop floor, you can manage **Stations**, **Edge Devices,**and the app publication details such as which **Version** is accessible to users, which **Devices**are connected to the app, and which **Interface (display device)******the app is run on.

**Station**

**Stations**are a digital representation of a physical place or device in your facility. Stations are 1:1 with **Interfaces (display devices)** running Tulip Player, but Stations can also be assigned **Edge Devices,**Tulip Vision Camera Configurations, Machines,****and more.

**Single Sign On**

**Single sign-on** is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-entering authentication factors

**GxP**

**Good *X* Practice**. An abbreviation collecting many of the core principles of Life Sciences compliance.

*ex-*

- *GMP - Good Manufacturing Practice*
- *GLP - Good Laboratory Practice*
- *GDP - Good Distribution Practice*