How are Aeries security permissions stored, and how do they roll forward across school years?


Aeries security is implemented through three SQL tables, and permissions are tied to a database (year group) rather than a calendar year.


Security Tables

  • UGN — User and Group Names
  • UGA — User and group associations and memberships
  • UGP — Permissions granted to users and groups


Rollover Behavior

  • UGN — expired substitute teacher and Active Directory substitute teacher accounts do not roll forward.
  • UGN — when the Keep New Accounts rollover setting is enabled, accounts last logged in more than a year ago do not roll forward; group accounts always roll.
  • UGA and UGP — roll forward as-is, excluding records tied to UGN records that did not roll forward.


Year Tabs and Prior-Year Access

Security tabs exist for Current Year, Last Year, and Before Last Year. Permissions are tied to the designated database (or group of databases), not a specific academic year.

  • Current Year permissions always apply to the default database; after rollover they automatically apply to the new current year.
  • Prior-year database access requires permissions assigned on the Last Year and Before Last Year tabs. Without them, access is limited to the current year.

Permissions are stored in UGP; UGP.YR indicates the year the record applies to:

  • UGP.YR = 0 — Current Year (1st tab)
  • UGP.YR = 1 — Last Year (2nd tab)
  • UGP.YR = 2 — Before Last Year (3rd tab)


Rolling Prior-Year Permissions Forward

  • Once set for a year group, permissions roll over automatically and do not need to be reset each year unless changes are required.
  • Prior-year permissions are not tied to a calendar year and do not automatically roll forward as read-only.
  • If Last Year / Before Last Year permissions were not set before rollover, none exist in the new database.
  • If Last Year / Before Last Year permissions were set before rollover, they roll into the new database automatically.