There has been quite a lot of content written on Microsoft’s capacity recommendations for SharePoint 2010 and how various aspects can affect overall SharePoint performance. Several recommendations Microsoft makes have to do with how content is structured, and with how permissions are managed. These recommendations are important to understand, both in practice and within the wider context of other SharePoint recommendations and limits, because SharePoint performance for end users can be significantly impacted by badly structured content libraries or over-use of metadata or unique permissions.
The TITUS SharePoint Security Suite has been designed to work well within the limitations and recommendations Microsoft has published on libraries and lists within SharePoint. I’ll discuss some of these recommendations here, how they relate to TITUS Security Suite products, and what they mean in practice. For the full list of capacity and performance recommendations on SharePoint 2010, please refer to Microsoft’s extensive documentation on the subject: http://technet.microsoft.com/en-us/library/cc262971.aspx.
Recommendation on Unique Permissions
One important recommendation which Microsoft makes is that lists (and libraries) in SharePoint can have a maximum of 50,000 unique permissions. This is actually a configurable value in SharePoint 2010, which can be adjusted by administrators in the Central Administration console. It refers specifically to the number of items in a list or library that can have a unique set of permissions at one time (i.e. a unique security scope).
For example, if a library has a set of permissions at the library level so that some users have full control and others have read access over content within the library, this constitutes 1 security scope. If a document within that library then has some unique permissions set, in other words it breaks inheritance from its parent library, then that constitutes a 2nd security scope. If another document within this library has a unique permission applied to it, where an Active Directory group of 1000 users is given read access, this constitutes a 3rd security scope. Finally, if you have 100 items within the library that have unique permissions, in other words 100 items all break inheritance from their parent library, then that constitutes 101 security scopes (remember you have 1 at the library level).
This seems to suggest that you can only have up to 49,999 items within a library when you want to have unique permissions for each item. Although this is technically true, there are other recommendations and limits within SharePoint that come into play. Also, generally you will want to setup a library with inherited permissions for most documents, and then some exception documents will have unique permissions. As well, there are strategies for dealing with much more content than this within a library when you need specific permission levels in place for sensitive content.
Related Limits and Thresholds
Here are some other important recommendations from Microsoft to keep in mind when managing the structure of your SharePoint content, along with the required permissions:
- Size of a Security Scope
One security scope can contain many users or groups, each with their own permission level. So, for a specific document I can have unique permissions that state User1 has Full Control permissions, User2 has Read permissions, GroupA has Contribute permissions, and it all constitutes 1 security scope. Microsoft recommends that for any security scope that you have no more than 5000 users or groups. This is a recommendation and not a hard limit. So, on any individual document, folder or library/list you should have up to 5000 groups or users set each with their own permission level.
- Active Directory (AD) Groups versus SharePoint groups
Microsoft recommends using AD groups when using groups to set permissions, as opposed to SharePoint groups. AD groups are much faster and efficient for SharePoint to process. SharePoint groups, although supported, require SharePoint to go back to the database and crawl the entire index when assigning permissions.
- List View Threshold
A setting was introduced into SharePoint 2010 called the List View Threshold which controls the number of items that can be retrieved from the database on any query. This value ultimately affects the number of items that can be viewed at the root level of a library or a folder – its default value is 5,000, it can go as high as 50,000, but it is dependent on farm size and architecture as well. Microsoft recommends that you do not exceed this value when storing items in a list, library or folder, unless you plan to create custom views on these containers which do not exceed 5,000 items. They continue by saying that exceeding this value will also cause general slowdown across your SharePoint repository. Depending on how your content is organized, it may not be practical to store more than 5,000 items in a single library, list or folder because those items can become increasingly difficult to find and work with. As well, retention policies should be considered when items accumulate in libraries for long periods of time, as they will eventually affect performance of your overall SharePoint farm.
Recommendations on Unique Permissions
Although the Unique Permissions Threshold discussed above is set by default at 50,000 there are various recommendations made in several Microsoft documents as well as other blogs and documents (some which contradict each other) about setting this value lower to 5,000 or even 1,000 in order to optimize performance. As well, there is other documentation contradicting it by saying it is dependent on the List View Threshold (see the Microsoft support article: http://support.microsoft.com/kb/2420771). What we have found in practice with customers and through testing is that where you set this limit is very dependent on 2 things:
- The size and architecture of the SharePoint farm (servers, memory, CPU, # of web front ends, etc), and
- The structure and organization of your content
In practice, we’ve found that 5,000 items with unique permissions in a single library or list is very reasonable for most environments depending on their size and configuration. We’ve worked with TITUS Metadata Security to automate permissions assignment in these cases and seen the SharePoint farm continue to operate quickly and efficiently. As well, our testing with libraries containing 50,000 items with unique permissions has shown that that these environments can also continue to operate well.
When you think about this limit, in order to exceed it, you would need to have a library in which you had 5,000 documents each with a unique set of users or groups with their own permissions. You could of course have other documents in this same library which inherit permissions from the parent, because those would not contribute to the Unique Permissions Threshold. However, this would cause issues with your view of the library because the number of items would exceed the List View Threshold as discussed above (unless you get into creating custom views). We’ve seen in practice, even in large enterprises, that SharePoint content tends to be spread across multiple libraries logically, typically by department, team or function. In all practicality, having over 5,000 items with unique permissions in one library probably suggests that a slightly different structure is required for organizing this content.
If by chance you do run into this, here are some simple recommended strategies to better organize content not only to reduce the number of security scopes, but also to make the content easier to find and easier to work with.
- Organizing your content logically within sites, libraries and lists by team, department or function where similar groups of people have the same access rights is an obvious one
- Using AD groups to apply permissions can help to greatly reduce the number of individual users with explicit permissions set
- Organizing content within folders and document sets can also be used to better organize content – for example, putting 100 documents with similar function and the same permissions into a folder, and having the permissions set on the folder will reduce the number of security scopes from 100 to 1 because those documents will inherit permissions from the folder. The same applies for document sets.
With these considerations in mind, the recommendations and limits described by Microsoft are in fact quite high when put into practice, and they help you to better organize your content in SharePoint so that it’s easier for end users to find and work with. TITUS can then help to ensure that this content is secure within SharePoint and that the right users are accessing the right content. Overall, TITUS recommends that customers have a well structured SharePoint farm, sized appropriately, and that content be organized logically with various libraries, lists, folders and document sets.
Using TITUS Metadata Security for SharePoint, administrators can automate permissions assignment and management on both folder and items. We recommend using Metadata Security to automatically apply item-level permissions to your sensitive content based on its metadata, and automatically apply permissions to folders for other content. TITUS works with customers to ensure that SharePoint limits and recommendations are respected, and that permissions management becomes automated and consistent across the farm using TITUS products.