Best Practices for Unique Permissions in a SharePoint List
We all know that configuring unique permissions (also known as breaking permissions) for list items in a SharePoint list in general is a bad idea. Besides management and security issues, it decreases performance. If most list items are going to have unique permissions, you don’t really want to add them to one list. Microsoft has some very useful information on this topic in the TechNet article Designing large lists and maximizing list performance (SharePoint Server 2010).
Because the default value for unique permissions is 50,000 per list, it’s best to lower it to a value that is closer to 5,000.You can configure this setting in Central Administration per Web application. Go to Central Administration -> Application Management -> Manage web Applications. Highlight the Web application and on the ribbon select General Settings -> Resource Throttling.
According to Microsoft “The throughput difference for operations on a list between 0 and 1,000 unique permissions is around 20 percent. There is a configurable default of 50,000 unique permissions per list. However, we recommend that you consider lowering this limit to 5,000 unique permissions and for large lists consider using a design that uses as few unique permissions as possible. This will help not only performance, but also manageability.”
Here are Microsoft’s recommendations:
1. Minimize the use of unique permissions on individual items, and simplify list designs that require most items to have unique permissions.
2. If unique permissions are needed, try to set them only at the list or folder level and minimize the number of individual items that need unique permissions.
3. Reconsider your design if each item requires individual permissions. Investigate dividing items between multiple lists, or organize items into folders and groups so proper access can be granted without putting unique permissions on every item.
Not only setting fine-grained permissions are difficult to manage and will have an affect on performance, setting fine-grained permissions on a list or folder that exceeds the list view threshold will be blocked because too many individual items have to be updated. That’s why Microsoft recommends that you lower this limit from 50,000 to 5,000.
Bad design has its price and breaking permission inheritance can impact performance. Here’s how Microsoft explains it: “Whenever permission inheritance is broken for an item, such as a folder, it is counted as a unique permission toward this limit. Each time permissions inheritance is broken, a new scope ID is created. Each time that you query on a view, you join against the scopes table. Then, when a query is performed, each unique access control list (ACL) must be parsed and processed. A large number of unique permissions in a list will adversely affect performance and is not recommended. As the number of unique permissions in a list grows, query performance will degrade. Even though the default limit is 50,000 unique permissions, you might want to consider lowering this limit to 5,000 unique permissions.”