{"id":1970,"date":"2012-03-19T06:17:49","date_gmt":"2012-03-19T06:17:49","guid":{"rendered":"https:\/\/poiseddevelopers.com\/reality-tech\/?p=1970"},"modified":"2024-05-06T12:01:22","modified_gmt":"2024-05-06T12:01:22","slug":"clarifying-the-security-scope-limits-in-sharepoint-lists","status":"publish","type":"post","link":"https:\/\/poiseddevelopers.com\/reality-tech\/clarifying-the-security-scope-limits-in-sharepoint-lists\/","title":{"rendered":"Clarifying the Security Scope limits in SharePoint lists"},"content":{"rendered":"

Historically, Microsoft has defined it along the more conservative definition as \u201cA scope is the security boundary for a securable object and any of its children that do not have a separate security boundary defined<\/strong>.\u201d.\u00a0 This implies that 10,000 uniquely assigned documents amongst five people (5*4*3*2*1 = 5! = 120) would be 10,000 security permissions, and not some number <=120.<\/p>\n

https:\/\/technet.microsoft.com\/en-us\/library\/cc262787(v=office.15).aspx<\/a><\/p>\n

After the number of unique security scopes exceeds the value of the List Query Size Threshold, SharePoint uses a code path that requires additional SQL round trips to analyze the scopes before rendering a view.\u00a0 So the impact is on viewing the list of documents (and providing the security trimmed view), hence my suggestion in such situations to consider retaining or even reducing the SharePoint default View limit of 30 items per page.<\/p>\n

\n

Additional Read<\/h4>\n

SharePoint for Enterprise Content Management \u2013 Why Should Choose?<\/a><\/p>\n<\/div>\n

Use of Dynamic SQL for SSIS Data Sources<\/p>\n

To test this out, I did an extract from a Content DB that houses a Document Library I have handy with many custom permissions divided amongst eight users. Probing the underlying data, it has a 18 distinct ACLs among 7K+ \u201cScopes\u201d each with a unique ScopeURL and ScopeID (the internal Microsoft field names). Even though the ACLs are identical (SharePoint uses an ACL ID that I can pivot on to group the Scopes) each folder and often document has a unique scope, because of the way I had broken inheritance thousands of times, even though the ACL assignment was only one of a couple dozen permutations. Here\u2019s the SQL you can use if you wish to probe:<\/p>\n

SELECT [SiteId], [ScopeId], [RoleDefWebId], [WebId], [ScopeUrl], [Acl]
\nFROM [your Content DB].[dbo].[Perms] order by scopeurl
\nAn even better query exposes the web URL<\/p>\n

SELECT [fullurl],perms.[SiteId] , perms.[ScopeId], [RoleDefWebId], [WebId], [ScopeUrl], [Acl]
\nFROM [dbo].[Perms],[dbo].allwebs
\nwhere perms.WebId = allwebs.id
\norder by scopeurl
\nAs an aside, you can see the number of security principals per scope, using this SQL:<\/p>\n

select COUNT(ra.PrincipalId) as [Count],p.ScopeUrl from RoleAssignment ra with(nolock)
\njoin Perms p with(nolock)
\non p.SiteId = ra.SiteId and p.ScopeId = ra.ScopeId
\ngroup by p.ScopeUrl
\norder by p.ScopeUrl desc
\nSo that closes the issue. The limit is not the unique combinations of ACLs, but instead the number of times permissions has been broken from a parent in the Document Library. So the guidelines might be:<\/p>\n

Use folders whenever possible to encapsulate security
\nBreak up huge Document Libraries along security boundaries
\nNever go past 50,000 unique permissions per list
\nYou don\u2019t want to go beyond 5,000 unique permissions per list without suffering severe performance impact
\nDon\u2019t breech 1,000 unique permissions per list, otherwise you will see a performance impact of 20% or more
\nNever, ever feed a SharePoint Administrator caffeine after midnight\u2026lol
\nMicrosoft writes:
\nhttps:\/\/technet.microsoft.com\/en-us\/library\/cc262787(v=office.15).aspx
\nThe maximum number of unique security scopes set for a list should not exceed 1,000.
\nA scope is the security boundary for a securable object and any of its children that do not have a separate security boundary defined. A scope contains an Access Control List (ACL), but unlike NTFS ACLs, a scope can include security principals that are specific to SharePoint Server. The members of an ACL for a scope can include Windows users, user accounts other than Windows users (such as forms-based accounts), Active Directory groups, or SharePoint groups.<\/p>\n

SharePoint 2010:
\nWhen a greater number of unique security scopes than the value of the List Query Size Threshold (default is 5,000) set to the web application are created for folders or documents in a list, there\u2019s a significant performance degradation in SharePoint operations that badly affects end users operations(rendering content) as well as SharePoint activities like indexing SharePoint Content. After the number of unique security scopes exceeds the value of the List Query Size Threshold, SharePoint uses a code path that requires additional SQL round trips to analyze the scopes before rendering a view.<\/p>\n

\n
\n

Start Your PowerShell Migration Project In A Click<\/h4>\n

Our technology and wide delivery footprint have created billions of dollars in value for clients globally and are widely recognized by industry professionals and analysts.<\/p>\n<\/div>\n

\n
Let\u2019s connect and brainstorm!<\/a><\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Historically, Microsoft has defined it along the more conservative definition as \u201cA scope is the security boundary for a securable object and any of its children that do not have a separate security boundary defined.\u201d.\u00a0 This implies that 10,000 uniquely assigned documents amongst five people (5*4*3*2*1 = 5! = 120) would be 10,000 security permissions, […]<\/p>\n","protected":false},"author":6,"featured_media":1974,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[32],"tags":[],"class_list":["post-1970","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sharepoint"],"acf":[],"_links":{"self":[{"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/posts\/1970","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/comments?post=1970"}],"version-history":[{"count":6,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/posts\/1970\/revisions"}],"predecessor-version":[{"id":3523,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/posts\/1970\/revisions\/3523"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/media\/1974"}],"wp:attachment":[{"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/media?parent=1970"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/categories?post=1970"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/tags?post=1970"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}