Best Practices For Unique Permissions On List And Items in SharePoint 2010
There are some general recommendations to consider when it comes to unique permissions in SharePoint 2010. They include:
- Minimizing the use of unique permission on individual items. They will simplify list design to require more items for unique permissions.
- When unique permissions are necessary, set them only at the list or folder level. Minimize the number of individual items that you need unique permissions for.
- Reconsider your design for each item required with individual permissions. It may be a good idea to divide items between multiple lists so that they can be organized with other items into groups and folders. The proper access needs to be authorized for that unique permissions can be allowed on each item.
Granular permissions can affect performance and they are also very hard to manage. Therefore, you should leave them set at the defaults, you certainly don’t want to set them to where the list view threshold is exceeded. If you do so they will be blocked due to too many individual items being updated at the same time. Setting granular permissions can affect performance in many other ways too. The result is that there is a configuration limit by default to 50,000 unique permissions for each of the lists.
When you try to declare unique permissions after you reach that limit, you will be blocked from doing it. The list view threshold doesn’t have that block in place and it will allow you to continue to create unique permissions for each item but not for a query. Permissions can be inherited but also broken for the items when they are in a folder. There they will be considered one unique permission.
Every time a permission inheritance is broken then a new scope ID is developed. When you query on a view you can JOIN the scope table for that query. There is then unique access control over the list that has to be processed. When there are many unique permissions in a list then it can reduce the overall performance of the query so that isn’t recommended. The number of unique permission in a list gets bigger over time and that reduces the performance. While the limit is by default 50,000 it is ideal if you make your customized limit 5,000.