Best Practices for Unique Permissions in a SharePoint List
We all know that configuring unique permissions (also known as breaking permissions) for list items in a SharePoint list in general is a bad idea. Besides management and security issues, it decreases performance. If most list items are going to have unique permissions, you don’t really want to add them to one list. Microsoft has some very useful information on this topic in the TechNet article Designing large lists and maximizing list performance (SharePoint Server 2010).
Because the default value for unique permissions is 50,000 per list, it’s best to lower it to a value that is closer to 5,000.You can configure this setting in Central Administration per Web application. Go to Central Administration -> Application Management -> Manage web Applications. Highlight the Web application and on the ribbon select General Settings -> Resource Throttling.
According to Microsoft “The throughput difference for operations on a list between 0 and 1,000 unique permissions is around 20 percent. There is a configurable default of 50,000 unique permissions per list. However, we recommend that you consider lowering this limit to 5,000 unique permissions and for large lists consider using a design that uses as few unique permissions as possible. This will help not only performance, but also manageability.”
Here are Microsoft’s recommendations:
1. Minimize the use of unique permissions on individual items, and simplify list designs that require most items to have unique permissions.
2. If unique permissions are needed, try to set them only at the list or folder level and minimize the number of individual items that need unique permissions.
3. Reconsider your design if each item requires individual permissions. Investigate dividing items between multiple lists, or organize items into folders and groups so proper access can be granted without putting unique permissions on every item.
Not only setting fine-grained permissions are difficult to manage and will have an affect on performance, setting fine-grained permissions on a list or folder that exceeds the list view threshold will be blocked because too many individual items have to be updated. That’s why Microsoft recommends that you lower this limit from 50,000 to 5,000.
Bad design has its price and breaking permission inheritance can impact performance. Here’s how Microsoft explains it: “Whenever permission inheritance is broken for an item, such as a folder, it is counted as a unique permission toward this limit. Each time permissions inheritance is broken, a new scope ID is created. Each time that you query on a view, you join against the scopes table. Then, when a query is performed, each unique access control list (ACL) must be parsed and processed. A large number of unique permissions in a list will adversely affect performance and is not recommended. As the number of unique permissions in a list grows, query performance will degrade. Even though the default limit is 50,000 unique permissions, you might want to consider lowering this limit to 5,000 unique permissions.”
Hi Zubair, how do you suggest we tackle typical scenario where the item needs to be visible to the creator and his manager, like appraisal workflows, leave workflows.
Hi Sudeep,
As a best practice item-level permissions are discouraged. In your situation you can create a new list with unique permissions. You may see talk on the Internet about creating folders to assign unique permissions but my advice is to stay away from folders. I tell my students we don’t use the “F” word in SharePoint so let’s not even talk about folders :). There are some very rare cases where you can justify the use of folders and most people will never run into those rare situations.
Another way to deal with the situation is to create a list and change the default view to only show items that were created by or modified by [Me]. You can disable users ability to create personal views and create a custom permission level that allows users only to upload or delete items but doesn’t allow them to create, delete, update list views. Obviously, you will allow managers to be able to see all the items.
I agree with Zubair, Folders and SP doesn’t gel very well. But sharing my experience when folders can be very useful.
We all know that item-level permissions are strain on server but consider this: if you go with single item level design then unique items you can have is 50,000 .
However If you classify your items on single level folder design (not sub-folders in folders/ fine grained permissions) and break inheritance on folder level. Then you can go 50,000 unique folders and every folder can have multiple items 🙂
List –> Folder01
–> Item01
–> Item02
–> Folder02
–> Item03
–> Folder03
–> Item04
–> Item05
Hope this helps.
If we Disable Throttling on some specific list which has large number of items and 50,000 unique permissions groups already created then does it allow to Add new security group (After disabling throttling on that list. Reference Code SPList.EnableThrottling=False;), please confirm.