Follow me on Twitter @AntonioMaio2

Tuesday, March 19, 2013

Updated SharePoint 2013 Software Boundaries and Limits: Unique Permissions

I am really happy to report a recent update to the SharePoint 2013 Boundaries and Limits web page.  Large enterprises in particular can have extremely large requirements for their SharePoint environments and this site has proven to be invaluable in determining what SharePoint can do, what it can't do and which boundaries can be pushed to the brink.

The update I want to highlight is related to SharePoint security scopes.  Security scopes in SharePoint are also referred to as "unique permissions" or "fine grained permissions".  People often think of fine grained permissions when they refer to a document or library that requires some unique permission for a user or group (for example, a spreadsheet containing senior executive salaries might require unique permission to prevent other individuals from being permitted to view or access it).  In fact, whenever permission inheritance is broken on a document, item, folder, library or subsite, a new security scope is created.

For years, advisors in the SharePoint community have been telling SharePoint administrators and consultants that they should avoid fine grained permissions because this would cause performance issues for end users when navigating through SharePoint or retrieving content that needs to be security trimmed.  As well, there was a lot of confusion in the community about whether the threshold at which performance issues started was 1000 or 5000 security scopes.  There were several Microsoft publications on this topic with differing numbers.  In fact, this limitation was previously true in older versions of SharePoint and in early releases of SharePoint 2010. 

However, this limitation has been seen for some time as a real problem for many organizations that deal with very sensitive information.  Examples of these are the military, governments, defense organizations and large regulated enterprises.  They deal with large amounts of very sensitive information and very strict regulatory compliance requirements, so creating new sites or libraries with specific permissions and having all content within inherit those permissions is simply not practical in these environments.

I'm very happy to say that Microsoft has finally updated this threshold! 

Microsoft actually released an update to SharePoint 2010 in the summer of 2011 to address this issue.  With SharePoint 2010 Service Pack 1, with the August 2011 cumulative update or higher, this threshold on security scopes was actually raised to 50,000.  As well, the point at which multiple round trips to the SQL database occur was clarified - its actually when the number of unique security scopes (unique permissions) in a list or library exceeds the List View Threshold setting.  Its not a hard setting of 5000 items that triggers multiple SQL roundtrips to occur.

Despite this very significant update, the documentation related to this threshold was not updated at that time.  SharePoint 2013 was released with the same security scope threshold of 50,000.  The goal for that release was to hold this line, which is great.  However, again the documentation was not updated.

At last, as of March 5, 2013, the documentation related to this threshold has now been updated to reflect this change! 

Security Scopes Section in SharePoint 2013 Boundaries and Limits Documentation

The full site on SharePoint 2013 Boundaries and Limits can be found here:  A big thank you to the Microsoft folks I've been speaking with about this issue for making the update!

At TITUS we have been working in the realm of unique permissions and security scopes for years.  We work with military, government organizations and large enterprises around the world helping them to secure access to sensitive information in SharePoint.  So this is a welcome change.  We have had customers in the field with several libraries and lists containing between 50,000 and 60,000 unique security scopes, and after significant testing after the update to SharePoint 2010 Service Pack 1 (with appropriate CUs)  they've found that their end users are not experience performance issues when navigating these lists and libraries or searching for content. 

Its important to note that the Security Scope value is a threshold and not a hard limit, so you can surpass 50,000 if you really want to or if you can throw enough hardware at the problem.  Remember, the number which can be used without experiencing performance issues is not unlimited, so unique permissions must still be applied appropriately where needed.  That said, they are a useful tool in cases where sensitive information or regulatory compliance requirements requires that permissions be applied at a fine grained level in order to ensure the right users are accessing the right information... and I would suggest that we in the community can stop recommending against their usage.

This is a significant and welcome change for Microsoft SharePoint, especially in environments that deal with sensitive information, or compliance obligations.

     - Antonio


  1. This comment has been removed by a blog administrator.

  2. This comment has been removed by the author.

  3. This comment has been removed by the author.

  4. This comment has been removed by a blog administrator.

  5. Do you mind updating your blog post with additional insight? It should be really useful for all of us.
    carding forum

  6. Microsof company software is employed in every walk of life from Alcodasoftware sending an email to watching web content to assisting to produce business strategy and creating retail-able applications.

  7. This comment has been removed by the author.

  8. There is a greater chance of a company meeting its user requirements when it goes for custom-built ERP software other than a generic system solution.

  9. This seems to be the age of the entrepreneur, with small startups such as Facebook and Twitter proving that small businesses can grow - potentially exponentially with the right resources. Unfortunately, success stories like Facebook are rare in small business world, with over half of small businesses failing within five years of their startup, mainly due to lack of funding. As any small business or entrepreneur knows, funding is one of the most difficult parts of starting a...

  10. DEFINITION OF PERSONAL AND PAYDAY LOANS Most people feel that payday loans and personal loans are one and the same thing, but this is not at all true. They may seem similar, but they have many big differences which set the two options at opposite poles. One should consider the credit and the amount one needs to borrow to know what one qualifies for before one applies for it. buymodafinilonline

  11. Starting and maintaining a home business enterprise is a bold move. Home businesses can be immensely successful if you know how to maintain your businesses affairs in the right way. This article will cover some of the essentials you need to consider, to ensure the growth, success and profitability of your online business download rhinoceros 6

  12. Hi. I want to ask a little something…is the following a wordpress web log as we are planning to be switching over to WP. Moreover did you make this template yourself? Thanks a lot. putlockers