Are you aware that SharePoint has a security scope limit of 50,000 items with unique SharePoint permissions? Yes, this limit exists, and it is applied per list or library since SharePoint 2010. What implications does this have for you and your SharePoint implementation?
Let's find out and then discuss possible solutions and workarounds.
You can store up to 30 million items or files in a SharePoint list or library. But there is a limit on how many unique SharePoint permissions you can set of 50,000 items per list or library. This limitation exists in SharePoint 2010 and all following versions. The limit can be lowered but not increased. However, there are actions you can take regarding it. Keep reading!
But first… why is there a limit and why is the limit a problem? When looking at the SharePoint documentation, there are two important aspects to consider regarding unique permissions.
First, if you attempt to exceed the limit of 50,000 unique permissions, SharePoint will display an error message, which might vary depending on the version and the operation. You could have "You cannot break inheritance for this item because there are too many items with unique permissions in this list." or “The operation to break role inheritance failed because there are too many items in the folder.”
Second, even before reaching this limit, you might experience a decrease in performance as the number of unique permissions in a list or library increases. Microsoft itself confirms it may start to arise with around 5,000 unique permissions and recommends you stay under this limit.
Will this affect me?
This affects any SharePoint environment that massively uses unique item permissions. A common situation in which this happens, and the one we will cover in the rest of our article, is when you use SharePoint to store your Dynamics documents. Many sysadmins choose to combine SharePoint Online with Dynamics 365, because:
- Managing documents is more intuitive and has extra functionalities such as checking documents out and version history.
- Data storage is cheaper on the SharePoint side. Even if the standard SharePoint storage of 10 GB is not enough, extra storage is very reasonably priced at $0.20/month per GB extra.
The problem is that, despite the synchronization of documents between Dynamics and SharePoint being automatic, there is no automatic synchronization of permissions.
If you have a small structure and not that much sensitive data, you can consider doing this permissions sync manually using SharePoint's permissions management options. You would need to set up SharePoint folder permissions individually. That is why this is only an option if the structure is small. Even so, the maintenance effort should not be overlooked.
It is also important to note that SharePoint permissions levels do not have direct correspondence to Dynamics permission levels, so even a small-scale manual sync is not as straightforward as you might hope. Do take that into consideration when you decide to manage SharePoint permissions yourself.
If your structure is not best described as small, the best option is to use a solution such as CB Dynamics 365 to SharePoint Permission Replicator. The problem is that even if you use such a tool, if you have a large number of users (or even a not-so-large number of users but a large number of documents), you will be massively using unique items permissions, and you will reach the 50,000 limit… it is just a matter of when.
What does Microsoft say?
This limit is officially presented by Microsoft. It is referred to as a "Security scope" limit for lists and libraries. You can find this in the documentation for SharePoint 2010, SharePoint 2013, SharePoint 2016 and 2019, and SharePoint for Microsoft 365.
It is explicitly mentioned that "As the number of unique permissions in a list grows, query performance will degrade. Even though the default limit is 50,000 unique permissions, you might want to consider lowering this limit to 5,000 unique permissions." Or “The supported limit of unique permissions for items in a list or library is 50,000. However, the recommended general limit is 5,000.” Microsoft also indicates that "If you try to declare unique permissions after this limit has been reached, you will be blocked from doing so."
What can I do?
Let's discuss potential solutions and alternatives. The most apparent option would be to decrease the number of documents. However, this is not feasible for most organizations, as documents cannot simply vanish overnight.
The second option would be storing documents elsewhere. The problem with this option is that it either results in a loss of functionality (plus a loss of productivity, as you will have to have your users change the way they do things) or in high extra costs. Or both 😊
The third option is to organize your documents in a different way. The limit is set for each list or library, so having multiple libraries can help you avoid reaching that limit. The problem with this (why is there always a problem?) is that it is hard to do it manually. Moreover, you need your users to cooperate with you. Otherwise, you might end up with a library structure no one understands, and no one can keep up…
The good news is that if you have your documents coming from Dynamics, this can be done automatically by using SharePoint Structure Creator. SharePoint Structure Creator puts documents into different document libraries, which are automatically created according to the rules you configure. The available options are:
- A document library per period (year, quarter, month, week, day, or custom)
- A document library per letter or letter set (based on the starting character(s) of the record name or the starting character(s) of the record ID)
- A document library per record
- Other combinations that best suit your organization, set up by using simple LUA scripts.
The library creation is done using a privileged user that you set up during configuration. This means the end user does not need to have any special permissions in SharePoint.
After this simple (but powerful!) configuration is done, everything is automatic.
From an end-user perspective, the only difference is the library organization (and even that, only from within SharePoint). If they are inside Dynamics, they won't notice any difference. It will look to the user as a perfectly normal Dynamics document… and that's a good thing!
It is important to note that this solution is available both for self-hosted environments and through Microsoft Azure Deployment, and that there is a wide array of supported systems:
- Dynamics CRM 2013, 2015, 2016, and Dynamics 365 Customer Engagement (including Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service)
- SharePoint 2013, 2016, 2019, SharePoint Online, and SharePoint for Microsoft 365
The add-on communicates with both SharePoint and Dynamics using the Connect Bridge platform. This means it all goes via the REST API. This solution is also compatible with custom Dataverse solutions you might have in your environment.
First, you need to decide whether you will install together with CB Dynamics 365 to SharePoint Permissions Replicator or not. I recommend that you book a personalized demo, as our technical team can then help you evaluate whether you need it or not. If you prefer to evaluate the tool on your own, you can get a free trial for Permissions Replicator, either self-hosted or deployed on Azure, and more information on deployment options is available here.
SharePoint Structure Creator has it own trial available, both a SaaS trial and a self-hosted trial. You can also have a look at the pricing information and then just follow the easy steps found in the online documentation.
Then you can rest assured that this is a problem you won't ever have to worry about again. Connecting Software ensures the forward compatibility of this solution, so even when you upgrade your infrastructure, you are still covered!
SharePoint Structure Creator is an elegant solution for the unique permissions limit, but it can also be used just for organizational purposes.
If although the documents are coming from Dynamics, your users tend to go to the documents on the SharePoint side, it does help a lot to have a decent library structure… and one that you do not need to maintain yourself 😊
FAQ
1. How can I troubleshoot issues related to the 50,000 unique permission limit?
-
Check the SharePoint Health Analyzer: The SharePoint Health Analyzer can provide alerts if you're nearing the unique permission threshold.
-
Use PowerShell Scripts: Utilize PowerShell scripts to generate reports on items with unique permissions.
-
Review SharePoint Logs: Review the Unified Logging Service (ULS) logs to identify any related performance or permission issues.
-
Split Content: If you're close to the limit, consider reorganizing content into separate libraries or sites to distribute permissions more effectively.
2. How can I determine if I am approaching the 50,000 unique permission limit in my SharePoint environment?
You can determine this by using PowerShell to query your SharePoint environment. Here is a sample script to count the unique permissions:
# Connect to SharePoint site
$siteURL = "https://your-sharepoint-site-url"
# Credentials required: SharePoint administrator credentials
Connect-PnPOnline -Url $siteURL -UseWebLogin
# Get the count of unique permissions
$uniquePermissions = (Get-PnPList | ForEach-Object { $_.GetItems() }).Where({ $_.HasUniqueRoleAssignments }).Count
Write-Output "Number of items with unique permissions: $uniquePermissions"This script will help you identify if you are getting close to the 50,000 limit.
3. What are the performance implications of having a large number of unique permissions?
Having a large number of unique permissions can negatively impact SharePoint performance. Specifically:
-
Slower Page Loads: Sites with many unique permissions can experience slower page load times.
-
Increased Complexity: It can make permission management more complex, which may lead to errors and further slowdowns.
-
Search Performance: It can impact the performance of SharePoint's search indexing, leading to slower or less efficient search results.
About the Author
By Ana Neto, technical advisor at Connecting Software.
“I have been a software engineer since 1997, with a more recent love for writing and public speaking. Do you have any questions or comments about this article? I would love to have your feedback, leave a comment below!"
Is there more information online?
Here are some relevant blog articles on this topic:
This article was first published on 12-09-2019 and it was last updated on 25-11-2024
Comments 3
The MS limit for custom permissions is 5,000 not 50,000 as per MS documentation site:
https://docs.microsoft.com/en-us/office365/servicedescriptions/sharepoint-online-service-description/sharepoint-online-limits
Unique security scopes per list or library – 5,000. For large lists, design to have as few unique permissions as possible.
Author
Thank you for your relevant comment. 5,000 is, in fact, the limit for SharePoint Online. The limit mentioned in our article is for the on-premises version.
The documentation says 5000 the reality is, that it is still 50.000 possible.