A possible solution would be a SUID binary that given a VID, would chown /usr/lib/one/<VID>/checkpoint to oneadmin.
A possible solution would be a SUID binary that given a VID, would chown /usr/lib/ one/<VID> /checkpoint to oneadmin.