User Access Overview

Mosaic uses three layers of permissions to ensure every staff member has the right access — no more, no less.

When a staff member logs in, Mosaic determines what they can see and do by combining three independent permission layers. Understanding how these layers work together is key to managing access effectively.

The Three Layers

Layer	What It Does	Who Controls It
Inherent Access	Grants access to specific students or staff based on relationships — class assignments, homeroom, support staff, supervision	Automatic. Determined by school data (class enrollments, homeroom assignments, etc.)
Roles	Grants broad, school-wide access based on job function — what platform features and data categories a user can reach	Assigned by an administrator on the user's Account tab
Individual Grants	Grants a specific permission to a specific user for special situations or temporary needs	Assigned by an administrator on the user's Account tab

How the Layers Combine

The three layers are additive. At every permission, Mosaic takes the highest access level from any layer. This means:

• Permissions can only be added, never taken away by another layer.
• A role cannot override or reduce what inherent access provides.
• Removing a role does not affect inherent access or individual grants.

Think of It Like Keys

Each layer can give a user a key to a door, but no layer can take away a key that another layer provided. If inherent access gives a teacher the key to their students’ attendance records, removing their role won’t lock that door.

When to Use Each Layer

Inherent Access handles the most common scenario — teachers seeing their own students’ data, supervisors viewing their team’s records. This works automatically and requires no administrator setup.

Roles define what a user’s job function needs. A secretary needs access to attendance, communication tools, and admissions. A counselor needs broad student visibility. Assign one or more roles that match the user’s responsibilities.

Individual Grants fill in the gaps. When one person needs a specific permission that doesn’t justify creating or modifying a role, add a grant. These are best for temporary or exceptional access.

Most users only need inherent access + one role. Individual grants are the exception, not the rule.

Both inherent access levels and default roles can be customized by your school to match your policies — see the detailed guides linked below for how.

Quick Start

If you’re setting up a new user:

1. Assign a role that matches their job function. See Default Roles for the options.
2. That’s it for most users. Inherent access activates automatically as they are assigned to classes, homerooms, or supervisory positions.
3. Add individual grants only if they need access beyond what their role and relationships provide. See Managing User Access for step-by-step instructions.

Learn More

• Inherent Access — how relationship-based permissions work and how to customize the defaults
• Default Roles — what each built-in role includes
• Managing User Access — how to assign roles, add grants, and review a user’s effective permissions