Managing User Access

Fine-tune what each staff member can see and do by combining roles, individual grants, and automatic relationship-based access.

Every staff member’s access in Mosaic is determined by three layers working together: their assigned roles, any individual grants, and their inherent access from relationships. This guide walks through how to view and configure each layer for a specific user.

Getting to the Account Tab

To manage a staff member’s permissions:

Staff List → Select a Staff Member → Account tab

The Account tab shows the user’s login information, role assignments, and individual permission grants. You need the User Permissions permission (view level to see, edit level to modify).

Assigning Roles

Roles are the primary way to grant access. Each role is a predefined set of permissions that can be assigned to any number of users. See Default Roles for a breakdown of the built-in roles.

How to Assign a Role

1. On the Account tab, find the Role Assignments section.
2. Click Add Role.
3. Select a role from the dropdown. Roles are organized into two groups:
   • System Roles — built-in roles like Principal, Faculty, Secretary, and Student Support
   • Custom Roles — roles created by your district to match specific needs
4. Review the role description displayed below the dropdown.
5. Click Save.

The role takes effect immediately.

Multiple Roles

A user can have multiple roles assigned at the same time. When a user has more than one role, the permissions from all roles are merged together — the highest access level from any role wins.

For example, if a user has both the Faculty role (no finance permissions) and a custom Cashier role (finance edit access), they get the combined permissions of both.

Removing a Role

Click on the role you want to remove. A confirmation dialog will appear. Once confirmed, the role is unassigned and the user’s permissions are recalculated.

Removing a Role May Not Remove All Access

If a user has multiple roles or individual grants, removing one role may not change their effective access. The remaining roles and grants continue to apply, and inherent access from relationships is always active.

Adding Individual Grants

Individual grants let you give a specific user access to a particular permission without creating or modifying a role. This is useful when one person needs access that doesn’t fit any existing role.

When to Use Grants vs. Roles

Use a Role When...	Use a Grant When...
Multiple users need the same set of permissions	Only one user needs a specific permission
The access represents a job function (e.g., Secretary, Guidance Counselor)	The access is for a special situation or temporary need
You want changes to automatically apply to everyone with that role	You want to add one permission without affecting other users

How to Add a Grant

1. On the Account tab, find the Individual Grants section.
2. Click Add Grant.
3. Select a permission from the dropdown. Permissions are grouped by category:
   • Student — access to student records (attendance, health, discipline, etc.)
   • Staff — access to other staff members’ records
   • Communication — email, calendar, contacts, Help Desk
   • Administration — libraries, transportation, admissions, academics
   • Finances — accounting, cashier, POS, budget
   • System Config — district/school settings, user management
4. Select an access level (typically View or Edit, depending on the permission).
5. Add an optional note explaining why this grant was given (e.g., “summer program coordinator” or “temporary — remove after May”).
6. Click Save.

Use Notes to Track Context

Notes are visible to other administrators and are a good way to document why a grant was given. This makes it easier to review and clean up grants later.

Modifying or Removing a Grant

Click on an existing grant to open the edit dialog. From there you can change the access level, update the note, or delete the grant entirely.

Understanding the Combined Effect

When a user logs in, Mosaic merges all three permission layers to calculate their effective access:

Layer	Source	Scope
Inherent Access	Automatic, based on relationships (class teacher, homeroom, supervisor, etc.)	Only applies to the specific students or staff the user has a relationship with
Roles	Assigned by an administrator	Applies broadly — to all students, all staff, or the entire school
Individual Grants	Assigned by an administrator for a specific user	Applies broadly — same as roles, but for one person only

At every permission, the highest level from any layer wins. Permissions can only be added, never reduced by another layer.

Scoped vs. Broad Access

An important distinction: inherent access is scoped while roles and grants are broad.

• A class teacher’s inherent access to student attendance only applies to students in their classes — they cannot see attendance for students they don’t teach.
• A role or grant that includes student attendance applies to all students in the school.

This means a teacher with the Faculty role and Class Teacher inherent access has:

• View access to basic information for all students (from the role)
• View access to detailed records (attendance, health, academics) for only their students (from inherent access)

If you want that teacher to see detailed records for all students, you would add an individual grant or assign an additional role that includes those permissions at a broader level.

Practical Examples

New teacher needs standard access

Situation: A new math teacher joins the school.

What to do: Assign the Faculty role on their Account tab.

Result: The Faculty role gives them basic platform access (email, calendar, Help Desk). Their class teacher inherent access automatically grants visibility into their students’ records as soon as they are assigned to classes. No additional setup is needed.

Teacher temporarily taking over attendance duties

Situation: The school secretary is on leave, and a teacher needs to manage attendance for all students during that time.

What to do: Add an individual grant for Attendance at the Edit level. Add a note: “Covering for secretary — remove when secretary returns.”

Result: The teacher can now edit attendance for all students, not just their own classes. When the secretary returns, remove the grant.

Department head needs to see staff records for their team

Situation: The science department head needs to view employment records and write supervision journals for teachers in their department.

What to do: Make sure the department head is set as the supervisor for those teachers in staff records. Supervisor inherent access automatically provides view access to their staff profiles, employment, and the ability to write supervision journals. No role changes or grants are needed.

If the department head needs access beyond what supervisor inherent access provides, add individual grants for the specific permissions.

Support specialist needs student access across the school

Situation: A learning resources teacher or school counselor needs to view all student records, not just those on their support staff list.

What to do: Assign the Student Support role (or Guidance Counselor for staff who also manage schedules and academic records), which grants broad access to student information. Their support staff inherent access additionally grants edit permissions for students specifically on their caseload.

Result: The staff member can view records for any student (from the role) and can edit support plans for their assigned students (from inherent access).

Removing access for a staff member changing positions

Situation: A staff member who was the school cashier is moving to a teaching role.

What to do:

1. Remove the cashier-related role from their Account tab.
2. Remove any individual grants related to finances.
3. Assign the Faculty role if not already assigned.

Result: Finance permissions are removed. Class teacher inherent access will activate automatically once they are assigned to classes. No need to manually configure student access.

Reviewing a User’s Access

To understand what a specific user can currently do, check all three sources on their Account tab:

1. Role Assignments — lists all assigned roles. Click through to see what each role includes.
2. Individual Grants — lists any one-off permissions with their access levels and notes.
3. Inherent Access — not shown on the Account tab, but determined automatically. Check the user’s class assignments, homeroom designation, support staff assignments, and supervisory relationships to understand what inherent access they have.

Effective Permissions

The Account tab shows what has been explicitly assigned (roles and grants). To understand the full picture, also consider the user’s inherent access from their relationships. See Inherent Access for details on what each relationship type grants.

Access to Past Years

By default, most users can only view data from the current school year. The year selector is locked and cannot be changed.

If a staff member needs to look up historical data — for example, a registrar reviewing transcripts or an administrator pulling reports from prior years — they need the Year Access permission. This can be granted through a role (several built-in roles like School Admin already include it) or as an individual grant.

Year Access has two levels:

• View Past — unlocks the year selector so the user can navigate to previous years, but most permissions are automatically downgraded to view-only in past years. This prevents accidental edits to historical records.
• Full (All Years) — unlocks the year selector with full permissions in all years, including the ability to edit data in prior years.

Use Full (All Years) With Extreme Caution

Editing historical records can affect transcripts, archived reports, and audit trails. Changes to past year data cannot be undone. Reserve this level for a small number of trusted administrators who have a specific need to correct historical records.

The Term Access permission works similarly, controlling whether a user can navigate to other marking periods within the current year.

Best Practices

• Start with roles. Assign a role that matches the user’s job function. Only add individual grants for exceptions.
• Use the fewest grants possible. If multiple users need the same grant, consider creating a custom role instead.
• Add notes to grants. Document why the grant was given and when it should be reviewed or removed.
• Review grants periodically. Individual grants can accumulate over time. Check that each grant is still needed, especially at the start of a new school year.
• Trust inherent access. Teachers and supervisors automatically get the access they need through their relationships. You usually don’t need to add grants for access they already receive from being assigned to classes or supervisory roles.