Overview
Checkout operations are controlled by a combination of plan availability and user permissions. This article explains who can perform checkout actions and how to customize access.
Plan Requirements First
Before any permissions matter, your organization's plan must support checkout:
| Plan | Checkout Access |
|---|---|
| Nova (Free) | ❌ No |
| Orbit (Starter) | ✅ Yes |
| Odyssey (Growth) | ✅ Yes |
| Business | ✅ Yes |
| Cosmos (Enterprise) | ✅ Yes |
| Welcome (Trial) | ✅ Yes |
| Nonprofit | ✅ Yes |
Key point: If your organization is on Nova (Free plan), nobody can use checkout, regardless of their role. You must upgrade to Orbit or above.
Role-Based Permissions
Checkout permissions are tied to user roles. Different roles have different access:
System Roles
OWNER
- ✅ Check out assets
- ✅ Check in assets
- ✅ View checkout reports
- ✅ Manage checkout permissions for others
- ✅ Create custom roles with checkout permissions
Note: Owners have all permissions by default.
MANAGER
- ✅ Check out assets
- ✅ Check in assets
- ✅ View checkout reports
- ❌ Cannot manage permissions or create custom roles
Note: Managers are the primary checkout users in most organizations.
EMPLOYEE
- ❌ Cannot check out assets
- ❌ Cannot check in assets
- ✅ Can view their own checked-out assets
- ❌ Cannot access checkout reports
Note: Employees can see what they personally have checked out but cannot manage checkouts.
VIEWER
- ❌ Cannot check out assets
- ❌ Cannot check in assets
- ✅ Can view checkout reports (read-only)
- ✅ Can see checkout history on assets
Note: Viewers have read-only access to checkout data.
ADMIN (Legacy)
- ✅ Check out assets
- ✅ Check in assets
- ✅ View checkout reports
- ❌ Cannot manage permissions (use MANAGER for new users)
Note: ADMIN is retained for backward compatibility; functionally equivalent to MANAGER for checkouts.
Permission Strings
Checkout operations use these permission strings:
assetCheckout:create
Required for: Checking out an asset
Granted to: OWNER, MANAGER, ADMIN (default)
Customizable: Yes (via custom roles)
assetCheckout:return
Required for: Checking in an asset
Granted to: OWNER, MANAGER, ADMIN (default)
Customizable: Yes (via custom roles)
assetCheckout:read
Required for: Viewing checkout history and reports
Granted to: All roles (read-only for EMPLOYEE and VIEWER)
Customizable: Yes (via custom roles)
assetCheckout:manage
Required for: Managing checkout sessions (Phase 2 feature)
Granted to: OWNER, MANAGER (future)
Customizable: Yes (via custom roles)
Who Can Do What?
Check Out an Asset
Required:
- ✅ Organization on Orbit+ plan
- ✅ User has MANAGER role (or OWNER, ADMIN)
- ✅ User has
assetCheckout:createpermission
Cannot:
- ❌ EMPLOYEE role users
- ❌ VIEWER role users
- ❌ Users on Free (Nova) plan
Example: A Manager can check out an asset. An Employee cannot, even if they have Manager-level responsibilities.
Check In an Asset
Required:
- ✅ Organization on Orbit+ plan
- ✅ User has MANAGER role (or OWNER, ADMIN)
- ✅ User has
assetCheckout:returnpermission
Cannot:
- ❌ EMPLOYEE role users
- ❌ VIEWER role users
- ❌ Users on Free (Nova) plan
Example: Only a Manager can close out a checkout. An Employee who borrowed the asset cannot check it in themselves.
View Checkout History
Required:
- ✅ User has
assetCheckout:readpermission
Can:
- ✅ All roles (OWNER, MANAGER, EMPLOYEE, VIEWER, ADMIN)
Note: Everyone can view checkout history. EMPLOYEE and VIEWER cannot modify (check out/in), only view.
View Checkout Reports
Required:
- ✅ User has
assetCheckout:readpermission
Can:
- ✅ All roles (OWNER, MANAGER, EMPLOYEE, VIEWER, ADMIN)
Example: An EMPLOYEE can see checkout reports but cannot create new checkouts.
Customizing Permissions
For Custom Roles
Owners can create custom roles with specific permission combinations:
Example 1: Field Coordinator
- ✅
assetCheckout:create— Can check out equipment - ✅
assetCheckout:return— Can check equipment back in - ✅
assetCheckout:read— Can view reports - ✅
asset:read— Can see asset details - ❌ No
user:invite— Cannot add users - ❌ No
settings:manage— Cannot change organization settings
Example 2: Finance Analyst
- ❌
assetCheckout:create— Cannot check out - ❌
assetCheckout:return— Cannot check in - ✅
assetCheckout:read— Can view reports for cost analysis - ✅
asset:read— Can see asset details - ❌ No modification permissions
Example 3: Technician
- ✅
assetCheckout:create— Can check out tools - ✅
assetCheckout:return— Can check tools in - ✅
maintenance:create— Can log maintenance - ✅
asset:read— Can see asset details - ❌ No permission to modify asset configuration
How to Create Custom Roles
- Go to Settings → Users → Roles
- Click "Create Custom Role"
- Enter role name and description
- Check the permissions you want to grant:
assetCheckout:createassetCheckout:returnassetCheckout:read- (+ other permissions as needed)
- Save the custom role
- Assign the custom role to users
Common Permission Scenarios
Scenario 1: Facilities Team Needs Checkout Access
Requirement: Facilities staff should be able to check out and check in equipment.
Solution:
- Create custom role: "Facilities Coordinator"
- Grant permissions:
- ✅
assetCheckout:create - ✅
assetCheckout:return - ✅
asset:read - ✅
maintenance:create(bonus: log equipment damage)
- ✅
- Assign role to facilities team members
Scenario 2: Department Heads Want Checkout Access
Requirement: Each department head can check out equipment for their team but can't check in (facilities does that).
Solution:
- Create custom role: "Department Head"
- Grant permissions:
- ✅
assetCheckout:create— Can check out - ❌
assetCheckout:return— Cannot check in (facilities does) - ✅
asset:read— Can see assets - ✅
department:manage— Can manage their department
- ✅
- Assign to department heads
Process:
- Head checks out equipment
- Employee uses it
- Facilities checks it back in when returned
Scenario 3: Finance Needs Reporting Only
Requirement: Finance analyst should see checkout reports for cost analysis but cannot perform checkouts.
Solution:
- Assign VIEWER role (or create custom with read-only permissions)
- Grant:
- ✅
assetCheckout:read— Can view reports - ✅
asset:read— Can see assets - ❌
assetCheckout:create— Cannot check out - ❌
assetCheckout:return— Cannot check in
- ✅
- User can export and analyze reports, nothing more
Scenario 4: External Contractor Limited Access
Requirement: External contractor can only check out tools for their project, no other access.
Solution:
- Create custom role: "Contractor"
- Grant ONLY:
- ✅
assetCheckout:create— Can check out - ✅
assetCheckout:return— Can check in - ✅
asset:read— Can see tool details
- ✅
- Assign to contractor
- Contractor cannot: create assets, add users, access settings, modify anything else
Permission Denial
If a user tries to perform an action they don't have permission for:
Check-Out Denied
If they try to check out but lack assetCheckout:create:
Error: Unauthorized
You don't have permission to check out assets.
Contact your admin for assistance.
Check-In Denied
If they try to check in but lack assetCheckout:return:
Error: Unauthorized
You don't have permission to check in assets.
Contact your admin for assistance.
Plan Denied
If their organization is on Free plan:
Error: Asset Check-Out is available on Orbit and above.
Please upgrade your plan to use checkout features.
Checking Your Permissions
View Your Current Role
- Go to Settings → Users
- Find your name in the user list
- Your current role is shown
View Your Permissions
- Go to Settings → Users
- Click your user row
- "Permissions" section lists what you can do
Request More Permissions
If you need checkout access:
- Contact your organization's Owner or Manager
- Request they:
- Upgrade your role to MANAGER
- OR create a custom role with checkout permissions
- OR request a custom role with specific permissions
Best Practices
1. Principle of Least Privilege
Only grant permissions people actually need:
- ❌ Don't make everyone MANAGER
- ✅ Create specific roles for specific jobs
2. Document Custom Roles
When creating custom roles, document what they're for:
- "Field Coordinator — for site-level equipment management"
- "Technician — maintenance and checkout of tools"
3. Review Quarterly
Regular review of who has what permissions:
- Has this person's role changed?
- Do they still need these permissions?
- Are there missing permissions they need?
4. Separate Duties
For audit and control:
- ❌ Don't let the same person always check out AND check in (unless necessary)
- ✅ Have different people handle checkout vs. check-in when possible
Related Articles
Need Help?
Contact your admin to request checkout permissions or ask about available roles.
Need Help?
If you have questions not covered in this article, our support team is here to help.
Contact Support