How should I manage users in Cheqroom?

The intention of this article is to establish best practices around how to manage user roles, permissions, and authentication into Cheqroom.

In Summary: 

• Any user that touches equipment should have a Cheqroom account for ease of use and accountability.
• A user role should be created for a unique way a user interacts with Cheqroom.
• Users should be granted the least amount of permissions needed to do their job for security and ease of site use.

Who needs a Cheqroom account?

Any user that touches equipment should have a Cheqroom account for ease of use and accountability. This includes:

• Account owners
  • These people own the Cheqroom contract and are responsible for the assets Cheqroom maintains. While they may or may not be asset managers, they need to track their company's assets, monitor utilization rates, and understand asset value.
• Asset owners/managers
  • These people are the day-to-day managers of assets. This group includes equipment room managers, service desk staff, and others who help maintain assets for end users.
• End Users
  • These people need to obtain assets to perform their work. This group includes students, content creators, maintenance repair workers, and anyone else who requires equipment to do their job.

All of the above groups, and maybe more, should be a provisioned user account. Now that you know who needs a Cheqroom account, it is time to decide how what user roles your site will have

User Roles

There are multiple ways to interface with Cheqroom within the same workspace, and User Roles are the primary way to differentiate how a user interacts with a Cheqoom site. A user role should be created for a unique way a user interacts with Cheqroom. The system is pre-configured with system or default roles.

• Account Owner
  • Owners of the account who can manage billing information and manage the workspace(s). The account owner role can only be assigned on the account management page.
• Equipment Administrators
  • Users with this role have full access to the equipment and its organization (across all locations)
• Equipment Viewers
  • Users with this role can view equipment but not book it (across all locations)
• Front Desk Agents
  • Users with this role can create and fulfill bookings for anyone (across all locations)
• Self-Service
  • Users with this role can book equipment (across all locations)
• Workspace Admin
  • Users with this role have full access to the workspace

Custom Roles

If the above roles do not meet your needs, yo can create custom roles. Some questions to ask yourself when making custom roles:

• Even if this role has a different name, is the way this user interacts with Cheqroom the same as another role?
  • Yes - do not make a new role.
  • No - Make a new role
• Does this role differ in the kind of functionality you want them to use, or are they different in the assets they interact with?
  • Different functionality - new role
  • Different assets- use an existing role. Create a new equipment access group
• Can I manage this custom role in an automated way? (i.e this role exists in my SSO provider already)
  • Yes - Make a new role
  • No - Consider combining into an existing role that is already managed

User Permissions

Permissions dictate what a user role can and cannot do in Cheqroom. Permissions for default roles cannot be changed. To change permissions associated with a role, you can clone a system role, or create a new role from scratch.

As a best practice, users should be granted the least amount of permissions needed to do their job for security and simplicity.

Remember: User permissions are about access to the functionality within Cheqroom, not asset access. For asset access, see Equipment Access Groups

Equipment Access Groups

Equipment access groups in Cheqroom are used to control and limit which users can see and access specific equipment within a workspace. They work by combining:

• User groups - groups of users
• Item groups - collections of similar equipment bundled together (like "Basic audio recording")

This feature is particularly useful for organizations that need to restrict access to certain equipment based on qualifications or experience. For example:

• Universities can automatically grant access to specific equipment only to students in certain user groups. For example, only grant access to drones to those with a drone pilot license
• Companies can restrict access to complex, valuable, or fragile equipment to only qualified employees

This system helps automate access control and reduces the need for manual verification of equipment permissions.

How should I assign user roles and equipment access groups?

There are two primary ways to assign users to a role and equipment access groups.

1. Manual assignments through Cheqroom

• • Users accounts are created on login by just-in-time SSO (link to SSO article) and default role and equipment access (optional) is assigned via SSO configuration. Account owner or workspace admin can adjust role and equipment access in Cheqroom as needed.
  • OR user accounts are created by an account owner or workspace admin. A user role and equipment access (optional) is assigned upon creation. Account owner or workspace admin can adjust role and equipment access in Cheqroom as needed.

2. Automatic role and equipment access provisioning using SSO

• • This strategy translates roles in a client’s Active Directory (AD) to roles and equipment access groups within Cheqroom. Users accounts are created on login by JIT SSO (link to SSO article) and AD roles are mapped to Cheqroom roles. Equipment access can also be gratned by default (optional).
  • Adjustments to roles should be made in AD and will by synced to Cheqroom when that user next logs in.