Follow me on Twitter @AntonioMaio2

Tuesday, March 19, 2013

Updated SharePoint 2013 Software Boundaries and Limits: Unique Permissions

I am really happy to report a recent update to the SharePoint 2013 Boundaries and Limits web page.  Large enterprises in particular can have extremely large requirements for their SharePoint environments and this site has proven to be invaluable in determining what SharePoint can do, what it can't do and which boundaries can be pushed to the brink.

The update I want to highlight is related to SharePoint security scopes.  Security scopes in SharePoint are also referred to as "unique permissions" or "fine grained permissions".  People often think of fine grained permissions when they refer to a document or library that requires some unique permission for a user or group (for example, a spreadsheet containing senior executive salaries might require unique permission to prevent other individuals from being permitted to view or access it).  In fact, whenever permission inheritance is broken on a document, item, folder, library or subsite, a new security scope is created.

For years, advisors in the SharePoint community have been telling SharePoint administrators and consultants that they should avoid fine grained permissions because this would cause performance issues for end users when navigating through SharePoint or retrieving content that needs to be security trimmed.  As well, there was a lot of confusion in the community about whether the threshold at which performance issues started was 1000 or 5000 security scopes.  There were several Microsoft publications on this topic with differing numbers.  In fact, this limitation was previously true in older versions of SharePoint and in early releases of SharePoint 2010. 

However, this limitation has been seen for some time as a real problem for many organizations that deal with very sensitive information.  Examples of these are the military, governments, defense organizations and large regulated enterprises.  They deal with large amounts of very sensitive information and very strict regulatory compliance requirements, so creating new sites or libraries with specific permissions and having all content within inherit those permissions is simply not practical in these environments.

I'm very happy to say that Microsoft has finally updated this threshold! 

Microsoft actually released an update to SharePoint 2010 in the summer of 2011 to address this issue.  With SharePoint 2010 Service Pack 1, with the August 2011 cumulative update or higher, this threshold on security scopes was actually raised to 50,000.  As well, the point at which multiple round trips to the SQL database occur was clarified - its actually when the number of unique security scopes (unique permissions) in a list or library exceeds the List View Threshold setting.  Its not a hard setting of 5000 items that triggers multiple SQL roundtrips to occur.

Despite this very significant update, the documentation related to this threshold was not updated at that time.  SharePoint 2013 was released with the same security scope threshold of 50,000.  The goal for that release was to hold this line, which is great.  However, again the documentation was not updated.

At last, as of March 5, 2013, the documentation related to this threshold has now been updated to reflect this change! 

Security Scopes Section in SharePoint 2013 Boundaries and Limits Documentation
 









The full site on SharePoint 2013 Boundaries and Limits can be found here: http://technet.microsoft.com/en-us/library/cc262787.aspx.  A big thank you to the Microsoft folks I've been speaking with about this issue for making the update!

At TITUS we have been working in the realm of unique permissions and security scopes for years.  We work with military, government organizations and large enterprises around the world helping them to secure access to sensitive information in SharePoint.  So this is a welcome change.  We have had customers in the field with several libraries and lists containing between 50,000 and 60,000 unique security scopes, and after significant testing after the update to SharePoint 2010 Service Pack 1 (with appropriate CUs)  they've found that their end users are not experience performance issues when navigating these lists and libraries or searching for content. 

Its important to note that the Security Scope value is a threshold and not a hard limit, so you can surpass 50,000 if you really want to or if you can throw enough hardware at the problem.  Remember, the number which can be used without experiencing performance issues is not unlimited, so unique permissions must still be applied appropriately where needed.  That said, they are a useful tool in cases where sensitive information or regulatory compliance requirements requires that permissions be applied at a fine grained level in order to ensure the right users are accessing the right information... and I would suggest that we in the community can stop recommending against their usage.

This is a significant and welcome change for Microsoft SharePoint, especially in environments that deal with sensitive information, or compliance obligations.

     - Antonio

5 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. Do you mind updating your blog post with additional insight? It should be really useful for all of us.
    carding forum

    ReplyDelete