« Visit to the NYC SharePoint User Group | Main | Metadata Security for SharePoint 2010 Support »

05/13/2010

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Hi,

Quick note to let you know that is a great article and that the link to the post "SharePoint 2010 User Experience - Document Sets" is broken and could be updated to this link : http://www.helloitsliam.com/Lists/Posts/ViewPost.aspx?ID=211

Thanks

Thanks Liam,

I've fixed the link...Charlie

If a large number of documents require unique permissions, don't you run into the SharePoint limits as prescribed by Microsoft? For instance, no more than 1000 security scopes and no more than 50k unique permissions per list.

Good question. The TITUS SharePoint Security Suite has been designed to work well within the limitations and recommendations which Microsoft imposes on libraries/lists within SharePoint. The limits you describe are important, but must be understood in the context of other SharePoint recommendations.

For example, the max limit of 50,000 unique permissions on a library refers to the # of unique users or groups configured to access items within that library. So, if you have configured an Active Directory (AD) group with 1000 users to have Read access to an item within the library, that consumes only 1 of these 50,000 unique permissions. If you configure a specific user to have Full Control over a document in a library, that would consume another of these. For you to reach this particular limit you would have to configure 50,000 unique users or unique AD groups to have access to items within the library. We’ve seen in practice, even in large enterprises, that SharePoint content is spread across multiple libraries logically and you don’t typically have 50,000 unique individual user accounts or groups individually configured on items within the same library. If by chance you did run into this, using multiple AD groups are a recommended way to organize access rights on such a large library and they are supported by TITUS SharePoint products.

The 1,000 security scope recommendation, put very simply, refers to the number of items in a list that break inheritance. It is in fact a recommendation and not a hard limit. This one is very dependent on the size of SharePoint farm (servers, memory, CPU, # of web front ends, etc). We have seen Microsoft documentation which describes 5,000 scopes as a recommendation, and other documentation contradicting it describing 1,000 scopes as the recommendation. For example, please see this Microsoft support article: http://support.microsoft.com/kb/2420771.

Some of the other recommendations and limitations SharePoint has which are important are:
- If using groups, use AD groups to assign permissions and avoid SP groups. AD groups are much faster/efficient for SP to process. TITUS Metadata Security supports both, but we pass on Microsoft’s recommendation here of using AD groups with our product.
- SP2010 has a variable called the List View Threshold which controls the number of items that any SharePoint SQL query can return, but ultimately affects the number of items that can be viewed at the root level of a library or a folder (default value is 5,000, can go as high as 50,000, but is dependent on farm size).

With this in mind, the limits/recommendations described by Microsoft are in fact high when put into practice, or they fall in line with other limits on how much content you can put into a library (root level) or folder. Overall, we recommend customers have a well structured SharePoint farm, sized appropriately, and that content be organized appropriately with various libraries, folders and lists.

Using TITUS Metadata Security for SharePoint, administrators can automate permissions assignment and management on both folder and items. We recommend using Metadata Security to automatically apply item-level permissions to your sensitive content based on its metadata, and then automatically apply permissions to folders for other content. We work with customers to ensure that SharePoint limits/recommendations are respected and that permissions management becomes automated and consistent across the farm using TITUS products.

The comments to this entry are closed.