Unique permissions on a document library(ies)


  • Hello,

    The problem is:

    We need to store each year about 500.000  documents (or document sets). Each one has its own (unique) permissions. There will be about 700 A.D. groups and each document will be read-only by any combination of 2,3,.., even 50 A.D. Groups.  For example, the document doc34232314.docx will only have read permissions by A.D. groups 23, 312, 145, the document doc2134531.doc will only have read permissions by grous 67, 85, 99, 4, 100, 98, 32 . These documents should be searchable.

    I have troubles understanding the - Software boundaries and limits for SharePoint 2013 - especially the security scopes/unique permissions and how these affect my problem.

    a) I cannot understand the phrase unique permissions. In my problem, there would be 500.000 unique permissions or just 700 ?

    β) Will a records center be able to manage this number of documents? Will I be able to search these documents?

    Thank you


    Tuesday, April 16, 2013 11:19 AM

All replies

  • From the TechNet article you posted a link to, it states: "The maximum number of unique security scopes set for a list cannot exceed 50,000."  This would apply to unique permissions, so you could not have more than 50,000 documents each with unique permissions in the library.  Further, over 5,000 and you'll see a performance hit, most likely a heavy one.

    a) Unique permissions are when any child object does not inherit the permissions of the parent.  So in your case, you'll be breaking permissions on each individual document, so it no longer inherits from its parent, the library.  Since each document in your case can have multiple AD groups applied, you will definitely have more than 700, but not sure if it would go as high as 500,000, as surely some of the same documents would share AD groups.

    b) A single library with 500,000 documents each with unique permissions will not work.  You should look into ways of splitting up the documents, either by many libraries or maybe many sites.  I would use your AD groups as a starting point and see if you can logically group documents by who needs to see them.

    Brandon Atkinson

    Tuesday, April 16, 2013 11:34 AM
  • Thank you for your answer.

    I was thinking the same thing, yet I read the :

    which looks like contradicts the SP boundaries.


    Tuesday, April 16, 2013 11:53 AM
  • It depends.  Martin's solution is to use code to apply the security and he is talking about 10,000 items, not 500,000.  So there seems to be some ways to get around the limits, but you'll need to implement some custom code in order to use the AddToCurrentScopeOnly() method he is talkign about.

    Brandon Atkinson

    Tuesday, April 16, 2013 12:32 PM
  • I Think Martin's solution is to have 500 folders (with unique permissions) per list and inherited permissions for the files inside the folder.

    I didn't mentioned that the document will be somewhat like emails: with "from" (one AD group) and multiple "to" (AD groups). I'm thinking of :

    a) create another content type (from list item) named "shortcut to document" that has the actual URL of the document.

    a) Create a list (named "from") for every AD group and store inside there the documents where ("from"=={that AD"}. At those documents I put the unique permissions in documents. Create more lists if the number of items for this AD/list >1.000 .

    b) Create a list (named "to") for every AD group and store there the new content type named "shortcut to document", for every document where ("to".Contains({this group}). Not unique permissions.

    In that way, i can easily show the last documents that have been inserted and I can also make search queries in documents.


    Tuesday, April 16, 2013 1:39 PM