Are you aware that SharePoint has a security scope limit of 50,000 items with unique SharePoint permissions? Yes, this limit exists, and it is applied per list or library since SharePoint 2010. What implications does this have for you and your SharePoint implementation? Let's find out and then discuss possible solutions and workarounds.
Why is there a limit on unique SharePoint permissions?
You can store up to 30 million items or files in a SharePoint list or library. But there is a limit on the number of unique SharePoint permissions you can set of 50,000 items per list or library. This limitation exists in SharePoint 2010 and all following versions. The limit can be lowered but not increased. However, there are actions you can take regarding it. Keep reading!
But first… why is there a limit and why is the limit a problem? There are two aspects to consider, although this is not that clear when you first look at the SharePoint documentation. The first aspect is that if you try to go over the 50,000 limit, SharePoint will raise you an error "You cannot break inheritance for this item because there are too many items with unique permissions in this list".
![error-too-many-items-solutions-workarounds-for-sharepoint-permission-limits](https://www.connecting-software.com/wp-content/uploads/2023/02/error-too-many-items-solutions-workarounds-for-sharepoint-permission-limits.webp)
The second aspect of this problem is the performance decrease. As the number of unique permissions in a list or library increases, you will notice SharePoint performance decreases… even if you are not close to the limit yet. This might happen from around 5,000 unique permissions, although that will depend on your specific SharePoint implementation.
Will this affect me?
This affects any SharePoint environment that massively uses unique items permissions. A common situation in which this happens, and the one we will cover in the rest of our article, is when you use SharePoint to store your Dynamics documents. Many sysadmins choose to combine SharePoint Online with Dynamics 365, because:
- Managing documents is more intuitive and has extra functionalities such as checking documents out and version history.
- Data storage is cheaper on the SharePoint side. Even if the standard SharePoint storage of 10 GB is not enough, extra storage is very reasonably priced at $0.20/month per GB extra.
The problem is that, despite the synchronization of documents between Dynamics and SharePoint being automatic, there is no automatic synchronization of permissions.
If you have a small structure and not that much sensitive data, you can consider doing this permissions sync manually using SharePoint's permissions management options. You would need to set up SharePoint folder permissions individually, that is why this is only an option if the structure is small. It is also important to note that SharePoint permissions levels do not have direct correspondence from Dynamics permission levels, so this is not as straightforward as you might hope. Do take that into consideration when you decide to manage SharePoint permissions yourself.
If your structure is not best described as small, the best option is to use an add-on such as CB Dynamics 365 to SharePoint Permission Replicator. The problem is that even if you use such a tool, if you have a large number of users (or even a not-so-large number of users but a large number of documents), you will be massively using unique items permissions, and you will reach the 50,000 limit… it is just a matter of when.
What does Microsoft say?
This limit is officially presented by Microsoft. It is referred to as a "Security scope" limit for lists and libraries. You can find this in the documentation for SharePoint 2010, SharePoint 2013, and SharePoint 2016 and 2019.
It is explicitly mentioned that "As the number of unique permissions in a list grows, query performance will degrade. Even though the default limit is 50,000 unique permissions, you might want to consider lowering this limit to 5,000 unique permissions.". Microsoft also indicates that "If you try to declare unique permissions after this limit has been reached, you will be blocked from doing so.".
What can I do?
Now let's talk about possible solutions and workarounds.
The first and most obvious option would be to reduce the number of documents. Unfortunately, this is not really an option for most organizations. Documents cannot simply disappear overnight.
The second option would be storing documents elsewhere. The problem with this option is that it either results in a loss of functionality (plus a loss of productivity as you will have to have your users change the way they do things) or in significant extra costs. Or both 😊
The third option is organizing your documents differently. The limit is set per list / library, so if you have more libraries you are less likely to hit the limit. The problem with this (why is there always a problem?) is that it is hard to do it manually. Moreover, you need your users to cooperate with you. Otherwise, you might end up with a library structure no one understands, and no one can keep up…
The good news is that if you have your documents coming from Dynamics this can be done automatically by using CB Dynamics 365 to SharePoint Permissions Replicator + the add-on SharePoint Structure Creator. SharePoint Structure Creator puts documents into different document libraries which are automatically created according to the rules you configure. The available options are:
• A document library per period (year, quarter, month, week, day, or custom)
• A document library per letter or letter set (based on the starting character(s) of the record name or the starting character(s) of the record ID)
• A document library per record
You can also create other combinations that best suit your organization by using simple LUA scripts.
The library creation is done using a privileged user that you set up during configuration. This means the end user does not need to have any special permissions in SharePoint.
After this simple (but powerful!) configuration is done, everything is automatic. The only thing your users will see is the library organization. Even the library organization is only visible if the users are in SharePoint. If they are inside Dynamics, they won't even see that. It will look to the user as a perfectly normal Dynamics document… and that's a good thing!
It is important to note that this solution is available both for self-hosted environments and through Microsoft Azure Deployment and that there is a wide array of supported systems:
• CRM 2011, CRM 2013, CRM 2015, CRM 2016, Dynamics 365, Dynamics 365 Online
• SharePoint 2013, SharePoint 2016, SharePoint 2019, SharePoint Online
The add-on communicates with both SharePoint and Dynamics using the Connect Bridge platform. This means it all goes via the REST API.
How do I get started with SharePoint Structure Creator?
The first thing you need is CB Dynamics 365 to SharePoint Permissions Replicator. You can get a free trial for it, which can be self-hosted or deployed on Azure. More information on deployment options is available here.
SharePoint Structure Creator is an add-on to CB Dynamics 365 to SharePoint Permissions Replicator. Simply add on the trial request form that you are interested in this add-on. This way you'll get all the relevant information on how to install the add-on.
You can have a look at the pricing information and then just follow the easy steps found in the online documentation.
Then you can rest assured that this is a problem you won't ever have to worry about again. Connecting Software ensures the forward compatibility of this solution, so even when you upgrade your infrastructure, you are still covered!
What else can I use SharePoint Structure Creator for?
SharePoint Structure Creator is an elegant solution for the unique permissions limit, but it can also be used just for organizational purposes.
If although the documents are coming from Dynamics, your users tend to go to the documents on the SharePoint side, it does help a lot to have a decent library structure… and one that you do not need to maintain yourself 😊
FAQ
1. How can I troubleshoot issues related to the 50,000 unique permission limit?
-
Check the SharePoint Health Analyzer: The SharePoint Health Analyzer can provide alerts if you're nearing the unique permission threshold.
-
Use PowerShell Scripts: Utilize PowerShell scripts to generate reports on items with unique permissions.
-
Review SharePoint Logs: Review the Unified Logging Service (ULS) logs to identify any related performance or permission issues.
-
Split Content: If you're close to the limit, consider reorganizing content into separate libraries or sites to distribute permissions more effectively.
2. How can I determine if I am approaching the 50,000 unique permission limit in my SharePoint environment?
You can determine this by using PowerShell to query your SharePoint environment. Here is a sample script to count the unique permissions:
# Connect to SharePoint site
$siteURL = "https://your-sharepoint-site-url"
# Credentials required: SharePoint administrator credentials
Connect-PnPOnline -Url $siteURL -UseWebLogin
# Get the count of unique permissions
$uniquePermissions = (Get-PnPList | ForEach-Object { $_.GetItems() }).Where({ $_.HasUniqueRoleAssignments }).Count
Write-Output "Number of items with unique permissions: $uniquePermissions"
This script will help you identify if you are getting close to the 50,000 limit.
3. What are the performance implications of having a large number of unique permissions?
Having a large number of unique permissions can negatively impact SharePoint performance. Specifically:
-
Slower Page Loads: Sites with many unique permissions can experience slower page load times.
-
Increased Complexity: It can make permission management more complex, which may lead to errors and further slowdowns.
-
Search Performance: It can impact the performance of SharePoint's search indexing, leading to slower or less efficient search results.
About the Author
![Ana Neto](https://www.connecting-software.com/wp-content/uploads/2022/09/Ana-Neto.jpg)
By Ana Neto, technical advisor at Connecting Software.
“I have been a software engineer since 1997, with a more recent love for writing and public speaking. Do you have any questions or comments about this article or about SharePoint Structure Creator? I would love to have your feedback!"
Is there more information online?
Here are some relevant blog articles on this topic:
This article was first published on 12-09-2019 and it was last updated on 25-11-2024
Comments 3
The MS limit for custom permissions is 5,000 not 50,000 as per MS documentation site:
https://docs.microsoft.com/en-us/office365/servicedescriptions/sharepoint-online-service-description/sharepoint-online-limits
Unique security scopes per list or library – 5,000. For large lists, design to have as few unique permissions as possible.
Author
Thank you for your relevant comment. 5,000 is, in fact, the limit for SharePoint Online. The limit mentioned in our article is for the on-premises version.
The documentation says 5000 the reality is, that it is still 50.000 possible.