Warning: The features and instructions outlined in this article are intended for use by Aeries system administrators who have access to the SQL database.


Overview

During periods of maintenance, or any other time when access to Aeries should be restricted, Aeries system administrators can set a flag in the database that will cause all non-admin users either to be locked out of Aeries entirely or forced into read-only mode.


Currently, the security restriction only applies to regular users and teachers. Parents and students cannot be locked out. However, if a restriction is in place for regular users, then parents will be unable to access Parent Data Confirmation. Otherwise, parent and student logins are unaffected. A future enhancement may make the security restriction available for the Parent/Student Portal, as well.


To use this feature, certain records must be manually added to the DPT table in the database. The steps below should be followed in the default database in the Database Group, since that is the database that controls security. If there are multiple Database Groups in the connections configuration, each Database Group can have its own security restriction configured using the steps below.


Lockout

To lock out all users other than admin, create a SecurityRestriction record with the value set to '1'.


INSERT INTO DPT (NM, CD)
VALUES ('SecurityRestriction', '1')


 When this option is used, a SecurityLockoutMessage DPT record MUST be created to provide an error message that will display when a user tries to log in to Aeries.


INSERT INTO DPT (NM, CD)
VALUES ('SecurityLockoutMessage', 'Your Lockout message goes here!')


The image below demonstrates the behavior of the login page when the lockout is in effect.



Read-Only

To force read-only access for all non-admin users, create a SecurityRestriction record with the value set to '3'.


INSERT INTO DPT (NM, CD)
VALUES ('SecurityRestriction', '3')


There is no visual indication to the end-user that this restriction is in effect. The users' Aeries access will be limited to read-only regardless of their usual permissions.


Remove the Restriction

To remove the security restriction, either delete the SecurityRestriction DPT record or set the value to '0'.


-- Remove the security restriction using any of the following methods:

-- Set the value to '0'
UPDATE DPT SET CD = '0' WHERE NM = 'SecurityRestriction'

-- Or, DEL-tag the record
UPDATE DPT SET DEL = 1 WHERE NM = 'SecurityRestriction'

-- Or, hard-delete the record
DELETE DPT WHERE NM = 'SecurityRestriction'


Note: Due to web server caching, it may take up to 5 minutes for changes to take effect after modifying the DPT table in SQL


Add Custom Content to the Login Page

While a security restriction is in effect, the Aeries staff Login page can have custom contents applied to it. This could be used to display an informative message to your staff or for other purposes. The Aeries Administrator can simply create a virtual directory in IIS inside the Aeries application folder called "Extensions". Then place a file called "Login_Restricted_N.html" inside it (where N is the actual value from the SecurityRestriction record, such as 1 or 3). If this file starts with "<html", the contents will be iframed on the login page. Otherwise, the contents will be read and injected directly into the login page. In either case, the contents will display inside the "Login Box" above the "Copyright" section.


The custom html file(s) can be left in the Extensions folder even when not in use. The content will ONLY be included on the Login page when a security restriction is currently in effect on the default Database Group.


Here is a sample Login_Restricted_1.html file:


This is a message you could display to your staff on the login page while a Security Restriction is in effect.
<a href="https://www.example.com/document">Click here</a> for more information.


The image below demonstrates the display of the custom content.



Limit the Restriction to a Specific Year

By default, any security restriction will apply to all databases (e.g., years) within the same Database Group. If circumstances require a security restriction on a single database, the setup steps are a little different.


In the default database in the Database Group, create a DPT record for SecurityRestriction_ByLoggedInDB with the value "True".


INSERT INTO DPT (NM, CD)
VALUES ('SecurityRestriction_ByLoggedInDB', 'True')


Then, follow the steps to create the SecurityRestriction (and SecurityLockoutMessage if applicable) records in the specific database(s) within the Database Group where the restriction should apply (which may or may not include the default database). The security restriction will apply ONLY to the database(s) where a SecurityRestriction DPT record exists instead of applying to all databases in the same Database Group.


Note: When limiting the restriction this way, custom content from a Login_Restricted_n.html page will NOT be displayed on the Login page.