This page is the detail for Setup overview — Step 7: Set members.
When users join an organization, they automatically inherit the role groups assigned to that organization. For each member, you then assign a specific organization member role, which defines their permissions within the organization (for example, admin or member-level access).
In our holiday booking example, continue with the same organizations from the previous steps: Retail travel agency and its managed child organization New York branch. The parent organization has the Retail storefront role group assigned, while New York branch has Retail sales only. Those organization-level assignments define the maximum application scope available in each organization.
In Mosaic, a member is a user in the context of a specific organization. The same user can be a member of multiple organizations, which is why you may also see that person in B2B Identity > Users.
When you add an individual member, you do two different things:
- You decide which app-level member roles that person should get for each application, but only from the roles allowed by the organization's assigned role groups.
- You assign an organization member role such as admin or member, which controls what that person can do in Mosaic for that organization.
For example, Jane Smith in the Retail travel agency might receive Booking agent and After-sales specialist for the holiday booking platform, plus the Organization admin role so she can manage members. In New York branch, John Williams might receive only Booking agent, plus the Organization member role.
This is why member setup comes last: the member can receive only the application roles already allowed for that organization.
In Admin Portal > B2B Identity > Organizations > [your org] > Members tab, click +Add member (or edit an existing member), a Member details drawer opens with two tabs: Member details and Applications access. Complete Member details first, then Applications access, and save. If you use email invites, Configure B2B should already be set so you can send the invite after saving.
Open the Member details tab and fill in the member’s profile:
- Email (required): Primary identifier for the member. Used for the invite, sign-in, and routing to the correct organization (together with the org’s email domains).
- Phone number: Contact number for the member profile.
- Default language: Preferred language for the experience.
- Department: Internal grouping (for example agency department or team).
- Title: Job title or label shown in the directory.
- Direct manager: Reference to the member’s manager.
Open Applications access tab. Everything here builds on role groups already assigned to this organization for each application—if the picker looks empty or too narrow, go back to Configure role groups per organization and application.
Per application linked to the organization:
- Set access to the application when the UI offers it (toggle or equivalent).
- Assign member roles for that application: choose which of the allowed app-level roles this person should have. Only roles that belong to the organization’s assigned role groups appear—those groups were set under Configure org roles & auth. Your application consumes the result (for example ID token claims); see Configure org roles & auth.
Assign Roles (organization member roles) for this member—what they can do in the Organization admin portal (portal management, invitations, managed orgs). These are not your custom application roles. For the detailed list, see View available roles for the full list.
Once the initial setup is complete, you can edit members, reassign applications and roles, suspend access, or remove members at any time. See Manage org members.