How are Aeries security permissions stored, and how do they roll forward across school years?
Aeries security is implemented through three SQL tables, and permissions are tied to a database (year group) rather than a calendar year.
Security Tables
- UGN — User and Group Names
- UGA — User and group associations and memberships
- UGP — Permissions granted to users and groups
Rollover Behavior
- UGN — expired substitute teacher and Active Directory substitute teacher accounts do not roll forward.
- UGN — when the Keep New Accounts rollover setting is enabled, accounts last logged in more than a year ago do not roll forward; group accounts always roll.
- UGA and UGP — roll forward as-is, excluding records tied to UGN records that did not roll forward.
Year Tabs and Prior-Year Access
Security tabs exist for Current Year, Last Year, and Before Last Year. Permissions are tied to the designated database (or group of databases), not a specific academic year.

- Current Year permissions always apply to the default database; after rollover they automatically apply to the new current year.
- Prior-year database access requires permissions assigned on the Last Year and Before Last Year tabs. Without them, access is limited to the current year.
Permissions are stored in UGP; UGP.YR indicates the year the record applies to:
- UGP.YR = 0 — Current Year (1st tab)
- UGP.YR = 1 — Last Year (2nd tab)
- UGP.YR = 2 — Before Last Year (3rd tab)
Rolling Prior-Year Permissions Forward
- Once set for a year group, permissions roll over automatically and do not need to be reset each year unless changes are required.
- Prior-year permissions are not tied to a calendar year and do not automatically roll forward as read-only.
- If Last Year / Before Last Year permissions were not set before rollover, none exist in the new database.
- If Last Year / Before Last Year permissions were set before rollover, they roll into the new database automatically.