Home/Knowledge Base/Asset Management/Checkout Permissions and Access Control
Back to Asset Management

Checkout Permissions and Access Control

4 min readintermediateLast updated: January 2, 2026

Overview

Checkout operations are controlled by a combination of plan availability and user permissions. This article explains who can perform checkout actions and how to customize access.


Plan Requirements First

Before any permissions matter, your organization's plan must support checkout:

PlanCheckout Access
Nova (Free)❌ No
Orbit (Starter)✅ Yes
Odyssey (Growth)✅ Yes
Business✅ Yes
Cosmos (Enterprise)✅ Yes
Welcome (Trial)✅ Yes
Nonprofit✅ Yes

Key point: If your organization is on Nova (Free plan), nobody can use checkout, regardless of their role. You must upgrade to Orbit or above.


Role-Based Permissions

Checkout permissions are tied to user roles. Different roles have different access:

System Roles

OWNER

  • ✅ Check out assets
  • ✅ Check in assets
  • ✅ View checkout reports
  • ✅ Manage checkout permissions for others
  • ✅ Create custom roles with checkout permissions

Note: Owners have all permissions by default.

MANAGER

  • ✅ Check out assets
  • ✅ Check in assets
  • ✅ View checkout reports
  • ❌ Cannot manage permissions or create custom roles

Note: Managers are the primary checkout users in most organizations.

EMPLOYEE

  • ❌ Cannot check out assets
  • ❌ Cannot check in assets
  • ✅ Can view their own checked-out assets
  • ❌ Cannot access checkout reports

Note: Employees can see what they personally have checked out but cannot manage checkouts.

VIEWER

  • ❌ Cannot check out assets
  • ❌ Cannot check in assets
  • ✅ Can view checkout reports (read-only)
  • ✅ Can see checkout history on assets

Note: Viewers have read-only access to checkout data.

ADMIN (Legacy)

  • ✅ Check out assets
  • ✅ Check in assets
  • ✅ View checkout reports
  • ❌ Cannot manage permissions (use MANAGER for new users)

Note: ADMIN is retained for backward compatibility; functionally equivalent to MANAGER for checkouts.


Permission Strings

Checkout operations use these permission strings:

assetCheckout:create

Required for: Checking out an asset

Granted to: OWNER, MANAGER, ADMIN (default)

Customizable: Yes (via custom roles)

assetCheckout:return

Required for: Checking in an asset

Granted to: OWNER, MANAGER, ADMIN (default)

Customizable: Yes (via custom roles)

assetCheckout:read

Required for: Viewing checkout history and reports

Granted to: All roles (read-only for EMPLOYEE and VIEWER)

Customizable: Yes (via custom roles)

assetCheckout:manage

Required for: Managing checkout sessions (Phase 2 feature)

Granted to: OWNER, MANAGER (future)

Customizable: Yes (via custom roles)


Who Can Do What?

Check Out an Asset

Required:

  • ✅ Organization on Orbit+ plan
  • ✅ User has MANAGER role (or OWNER, ADMIN)
  • ✅ User has assetCheckout:create permission

Cannot:

  • ❌ EMPLOYEE role users
  • ❌ VIEWER role users
  • ❌ Users on Free (Nova) plan

Example: A Manager can check out an asset. An Employee cannot, even if they have Manager-level responsibilities.

Check In an Asset

Required:

  • ✅ Organization on Orbit+ plan
  • ✅ User has MANAGER role (or OWNER, ADMIN)
  • ✅ User has assetCheckout:return permission

Cannot:

  • ❌ EMPLOYEE role users
  • ❌ VIEWER role users
  • ❌ Users on Free (Nova) plan

Example: Only a Manager can close out a checkout. An Employee who borrowed the asset cannot check it in themselves.

View Checkout History

Required:

  • ✅ User has assetCheckout:read permission

Can:

  • ✅ All roles (OWNER, MANAGER, EMPLOYEE, VIEWER, ADMIN)

Note: Everyone can view checkout history. EMPLOYEE and VIEWER cannot modify (check out/in), only view.

View Checkout Reports

Required:

  • ✅ User has assetCheckout:read permission

Can:

  • ✅ All roles (OWNER, MANAGER, EMPLOYEE, VIEWER, ADMIN)

Example: An EMPLOYEE can see checkout reports but cannot create new checkouts.


Customizing Permissions

For Custom Roles

Owners can create custom roles with specific permission combinations:

Example 1: Field Coordinator

  • assetCheckout:create — Can check out equipment
  • assetCheckout:return — Can check equipment back in
  • assetCheckout:read — Can view reports
  • asset:read — Can see asset details
  • ❌ No user:invite — Cannot add users
  • ❌ No settings:manage — Cannot change organization settings

Example 2: Finance Analyst

  • assetCheckout:create — Cannot check out
  • assetCheckout:return — Cannot check in
  • assetCheckout:read — Can view reports for cost analysis
  • asset:read — Can see asset details
  • ❌ No modification permissions

Example 3: Technician

  • assetCheckout:create — Can check out tools
  • assetCheckout:return — Can check tools in
  • maintenance:create — Can log maintenance
  • asset:read — Can see asset details
  • ❌ No permission to modify asset configuration

How to Create Custom Roles

  1. Go to Settings → Users → Roles
  2. Click "Create Custom Role"
  3. Enter role name and description
  4. Check the permissions you want to grant:
    • assetCheckout:create
    • assetCheckout:return
    • assetCheckout:read
    • (+ other permissions as needed)
  5. Save the custom role
  6. Assign the custom role to users

Common Permission Scenarios

Scenario 1: Facilities Team Needs Checkout Access

Requirement: Facilities staff should be able to check out and check in equipment.

Solution:

  1. Create custom role: "Facilities Coordinator"
  2. Grant permissions:
    • assetCheckout:create
    • assetCheckout:return
    • asset:read
    • maintenance:create (bonus: log equipment damage)
  3. Assign role to facilities team members

Scenario 2: Department Heads Want Checkout Access

Requirement: Each department head can check out equipment for their team but can't check in (facilities does that).

Solution:

  1. Create custom role: "Department Head"
  2. Grant permissions:
    • assetCheckout:create — Can check out
    • assetCheckout:return — Cannot check in (facilities does)
    • asset:read — Can see assets
    • department:manage — Can manage their department
  3. Assign to department heads

Process:

  • Head checks out equipment
  • Employee uses it
  • Facilities checks it back in when returned

Scenario 3: Finance Needs Reporting Only

Requirement: Finance analyst should see checkout reports for cost analysis but cannot perform checkouts.

Solution:

  1. Assign VIEWER role (or create custom with read-only permissions)
  2. Grant:
    • assetCheckout:read — Can view reports
    • asset:read — Can see assets
    • assetCheckout:create — Cannot check out
    • assetCheckout:return — Cannot check in
  3. User can export and analyze reports, nothing more

Scenario 4: External Contractor Limited Access

Requirement: External contractor can only check out tools for their project, no other access.

Solution:

  1. Create custom role: "Contractor"
  2. Grant ONLY:
    • assetCheckout:create — Can check out
    • assetCheckout:return — Can check in
    • asset:read — Can see tool details
  3. Assign to contractor
  4. Contractor cannot: create assets, add users, access settings, modify anything else

Permission Denial

If a user tries to perform an action they don't have permission for:

Check-Out Denied

If they try to check out but lack assetCheckout:create:

Error: Unauthorized

You don't have permission to check out assets.
Contact your admin for assistance.

Check-In Denied

If they try to check in but lack assetCheckout:return:

Error: Unauthorized

You don't have permission to check in assets.
Contact your admin for assistance.

Plan Denied

If their organization is on Free plan:

Error: Asset Check-Out is available on Orbit and above.

Please upgrade your plan to use checkout features.

Checking Your Permissions

View Your Current Role

  1. Go to Settings → Users
  2. Find your name in the user list
  3. Your current role is shown

View Your Permissions

  1. Go to Settings → Users
  2. Click your user row
  3. "Permissions" section lists what you can do

Request More Permissions

If you need checkout access:

  1. Contact your organization's Owner or Manager
  2. Request they:
    • Upgrade your role to MANAGER
    • OR create a custom role with checkout permissions
    • OR request a custom role with specific permissions

Best Practices

1. Principle of Least Privilege

Only grant permissions people actually need:

  • ❌ Don't make everyone MANAGER
  • ✅ Create specific roles for specific jobs

2. Document Custom Roles

When creating custom roles, document what they're for:

  • "Field Coordinator — for site-level equipment management"
  • "Technician — maintenance and checkout of tools"

3. Review Quarterly

Regular review of who has what permissions:

  • Has this person's role changed?
  • Do they still need these permissions?
  • Are there missing permissions they need?

4. Separate Duties

For audit and control:

  • ❌ Don't let the same person always check out AND check in (unless necessary)
  • ✅ Have different people handle checkout vs. check-in when possible

Related Articles

Need Help?

Contact your admin to request checkout permissions or ask about available roles.

Need Help?

If you have questions not covered in this article, our support team is here to help.

Contact Support