Understanding Roles and Permissions

UniAsset uses role-based access control (RBAC) to manage what users can do. This guide explains each role, their permissions, and how to choose the right role for each team member.

Overview

UniAsset has four user roles, each with different permission levels:

1. Owner — Full system access including billing
2. Admin — Full data access, cannot manage billing
3. Manager — Can create/edit assets and logs, limited administrative access
4. Viewer — Read-only access

Principle of Least Privilege: Give users the minimum permissions they need to do their job. Most users should be Managers or Viewers, not Admins.

The Four Roles

Owner Role

Who has this role:

• Organization founder
• CEO or primary stakeholder
• Billing contact

Unique permissions:

• ✅ Everything an Admin can do, PLUS:
• ✅ Manage subscription and billing
• ✅ View and download invoices
• ✅ Update payment methods
• ✅ Upgrade/downgrade plans
• ✅ Delete the entire organization (irreversible!)
• ✅ Transfer ownership to another user
• ✅ Cannot be removed by other users (Admins cannot delete Owner)

Limitations:

• Only ONE Owner per organization (cannot have multiple Owners)
• Owner role can be transferred but not deleted

When to use:

• Assign to the person responsible for company billing
• Should be someone with long-term involvement (not a temp employee)
• Must be a trusted person (has power to delete entire organization)

⚠️ WARNING: Owner can delete the organization, cancel subscription, and remove all data. This role should be reserved for a single, highly trusted person.

Admin Role

Who should have this role:

• IT Manager
• Operations Manager
• Facilities Manager
• Anyone who needs full system configuration access

Permissions:

• ✅ Create, edit, delete assets
• ✅ Log, edit, delete maintenance records
• ✅ Upload and delete documents/images
• ✅ Invite and remove users (except Owner)
• ✅ Manage user roles (promote/demote other users)
• ✅ Configure system settings (categories, locations, departments, statuses)
• ✅ View and run all reports
• ✅ Import/export assets via CSV
• ✅ Access all assets (even those assigned to other users)
• ❌ Cannot manage billing or subscription
• ❌ Cannot delete the organization
• ❌ Cannot remove the Owner

When to use:

• Assign to 2-4 trusted individuals who manage the system
• IT administrators who configure categories, locations, users
• Department heads who need full operational control

Use cases:

• IT Manager: Configures asset tracking for entire organization
• Operations Manager: Manages all equipment and maintenance schedules
• Facilities Manager: Oversees all building assets and servicing

💡 TIP: Limit Admin roles to 2-4 people maximum. Too many Admins increases risk of accidental deletions and configuration conflicts.

Manager Role

Who should have this role:

• Department supervisors
• Team leads
• Field technicians
• Facility coordinators
• Anyone who actively manages assets but doesn't need full admin access

Permissions:

• ✅ Create assets
• ✅ Edit assets (change fields, update assignment, upload documents)
• ✅ Log maintenance (repairs, servicing, PM tasks)
• ✅ Upload documents and images to assets
• ✅ View all assets and their details
• ✅ Run and export reports
• ✅ Assign assets to users
• ❌ Cannot delete assets
• ❌ Cannot delete maintenance records
• ❌ Cannot delete documents/images
• ❌ Cannot invite or remove users
• ❌ Cannot modify system settings (categories, locations, departments)

When to use:

• Most active users should be Managers
• Users who create/update asset data daily
• Field technicians who log repairs
• Department supervisors who track their team's equipment

Use cases:

• Field Technician: Logs repairs on equipment, updates asset status
• Department Manager: Tracks department's assets, assigns equipment to team members
• Facilities Coordinator: Updates locations, logs building equipment maintenance

💡 TIP: Manager is the default role for most users. It provides enough access to do daily work without risk of accidental deletions.

Viewer Role

Who should have this role:

• External auditors
• Read-only stakeholders
• Contractors
• Executive management (who want visibility without editing)
• Interns or temporary staff

Permissions:

• ✅ View assets and all details (location, assignment, cost, etc.)
• ✅ View maintenance history
• ✅ View uploaded documents and images
• ✅ Run reports
• ✅ Export reports to CSV/Excel
• ❌ Cannot create, edit, or delete anything
• ❌ Cannot upload documents
• ❌ Cannot log maintenance
• ❌ Cannot assign assets
• ❌ Cannot invite users or change settings

When to use:

• External auditors who need to review inventory
• Executives who want dashboard visibility
• Contractors who reference equipment specs
• Compliance officers conducting reviews

Use cases:

• Auditor: Reviews asset inventory, exports data for audit report
• Executive: Monitors Total Asset Value, maintenance costs
• Contractor: Looks up equipment specifications for project planning

💡 TIP: Use Viewer role for anyone who needs information but shouldn't modify data. Prevents accidental changes during audits or reviews.

Permission Comparison Matrix

Asset Management

Maintenance & Logs

Reports & Data

User Management

*Admin can manage all users except the Owner

System Settings

Billing & Subscription

Choosing the Right Role

Decision Tree

Start: What does this user need to do?

├─ Need to manage billing/subscription?
│   └─ YES → Owner role
│
├─ Need to configure system settings (categories, locations, users)?
│   └─ YES → Admin role
│
├─ Need to create/edit assets and log maintenance?
│   └─ YES → Manager role
│
├─ Only need to view data and run reports?
│   └─ YES → Viewer role

Real-World Scenarios

Scenario 1: Small Business (5 employees)

Team:

• Owner: CEO (manages billing)
• Admin: Operations Manager (configures system, invites users)
• Managers: 2 team leads (track department equipment)
• Viewer: External accountant (audits asset values)

Scenario 2: Mid-Size Company (50 employees)

Team:

• Owner: CFO (billing and financials)
• Admins:
  • IT Manager (manages IT assets and system configuration)
  • Facilities Manager (manages building equipment and settings)
• Managers:
  • 5 Department supervisors (track team equipment)
  • 3 Field technicians (log repairs)
  • 2 Facility coordinators (update locations, log maintenance)
• Viewers:
  • 2 Executives (dashboard visibility)
  • 1 Auditor (external, temporary access)

Scenario 3: Large Enterprise (500+ employees)

Team:

• Owner: Finance Director
• Admins:
  • Global IT Manager
  • Regional Operations Managers (3)
  • Facilities Director
• Managers:
  • 20 Department managers
  • 15 Site supervisors
  • 10 Maintenance technicians
• Viewers:
  • 5 Executives
  • 10 Compliance officers
  • External auditors (as needed)

Changing User Roles

How to Change a Role

Prerequisites:

• Must be Owner or Admin
• Cannot change your own role

Steps:

1. Navigate to Settings → Users
2. Find the user in the list
3. Click the Role dropdown next to their name
4. Select new role (Owner, Admin, Manager, Viewer)
5. Confirm change

Effect:

• Role change takes effect immediately (no logout/login required)
• User's UI updates to reflect new permissions
• If downgraded (e.g., Admin → Manager), user loses access to Settings page

💡 TIP: If you demote someone from Admin to Manager and they complain about "missing menus," explain that those features are Admin-only.

Common Role Transitions

Promoting User to Admin

Scenario: Facility Manager promoted to Operations Director, needs system configuration access

Steps:

1. Settings → Users → Find "John Smith"
2. Change role from Manager to Admin
3. Notify John: "You now have Admin access. You can configure categories, locations, and invite users."

Demoting User After Leaving Role

Scenario: IT Manager switches to different department, no longer needs Admin access

Steps:

1. Settings → Users → Find "Jane Doe"
2. Change role from Admin to Manager
3. Jane retains asset management access but loses system configuration abilities

Temporary Viewer Access for Auditor

Scenario: External auditor needs read-only access for 30 days

Steps:

1. Invite auditor with Viewer role
2. Auditor reviews inventory, exports reports
3. After audit completes, remove user (Settings → Users → Remove)

Security Best Practices

1. Limit Owner and Admin Roles

• Owner: 1 person only (required)
• Admins: 2-4 maximum (trusted individuals)
• Most users: Manager or Viewer

Why? Too many high-privilege users increase risk of:

• Accidental deletions
• Unauthorized configuration changes
• Security breaches

2. Regular Access Reviews

Every quarter:

1. Review Settings → Users list
2. Check if roles are still appropriate
3. Demote users who no longer need high privilege
4. Remove users who left the organization

3. Use Viewer for External/Temporary Access

• External auditors → Viewer
• Contractors → Viewer (unless they need to log maintenance → Manager)
• Interns → Viewer (until trained → Manager)

4. Document Your Role Assignments

Keep a record of who has which role and why:

5. Owner Succession Planning

Question: What happens if the Owner leaves the company?

Answer: Transfer ownership before they leave:

Steps:

1. Owner logs in
2. Settings → Users → Find replacement user (must be Admin)
3. Click ⋮ → Transfer Ownership
4. Confirm transfer

Result:

• New person becomes Owner
• Original owner is demoted to Admin (can then be removed)

⚠️ WARNING: If Owner leaves without transferring ownership, contact UniAsset support immediately. We can assist with ownership transfer.

Common Questions

Can a user have multiple roles?

No. Each user has exactly one role. Choose the role that provides the necessary permissions.

Can a Manager delete their own maintenance logs?

No. Only Admins can delete maintenance logs (to prevent data tampering). Managers can edit logs but not delete.

Can a Viewer see all assets or only assigned to them?

Viewers see all assets (not just assigned to them). Viewer role is read-only but has full visibility.

For privacy-restricted access (user sees only their own assets), this is a future feature.

What happens if I remove all Admins?

Owner remains and can recreate Admins. The Owner cannot be removed, so you'll always have at least one high-privilege user.

Can a Manager invite users?

No. Only Owner and Admin can invite users. Managers cannot access Settings → Users.

Related Articles

• Inviting Team Members — How to invite and manage users
• User Management — Advanced user administration
• Security Best Practices — Securing your UniAsset organization
• Quick Start Guide — Initial setup including user roles

Need Help?

If you need help deciding which role to assign to a user, contact support at support@uniasset.app with:

• User's job title
• What they need to do in UniAsset
• Your organization size

We'll provide role recommendations.