Are you aware that SharePoint has a security scope limit of 50,000 items with unique SharePoint permissions? Yes, this limit exists, and it is applied per list or library since SharePoint 2010. What implications does this have for you and your SharePoint implementation? Let's find out and then discuss possible solutions and workarounds.
What is this? Why is there a limit on unique SharePoint permissions?
You can store up to 30 million items or files in a SharePoint list or library. But there is a limit on the number of unique SharePoint permissions you can set of 50,000 items per list or library. This limitation exists in SharePoint 2010 and all following versions. The limit can be lowered but not increased, however there are things you can do about it… keep on reading!
But first… why is there a limit and why is limit a problem? There are two aspects to consider although this is not that clear you first look at the SharePoint documentation. The first aspect is that if you try to go over the 50,000 limit, SharePoint will raise you an error "You cannot break inheritance for this item because there are too many items with unique permissions in this list".
The second aspect of this problem is the performance decrease. As the number of unique permissions in a list or library increases, you will notice SharePoint performance decreases… even if you are not close to the limit yet. This might happen from around 5,000 unique permissions, although that will depend on your specific SharePoint implementation.
Will this affect me?
This affects any SharePoint environment that massively uses unique items permissions. A common situation in which this happens and the one we will cover on the rest of our article is when you use SharePoint to store you Dynamics documents. Many sysadmins choose to combine SharePoint Online with Dynamics 365, because:
• Managing documents is more intuitive and has extra functionalities such as checking documents out and version history.
• Data storage is cheaper on the SharePoint side. Even if the standard SharePoint storage of 10 GB is not enough, extra storage is very reasonably priced at $0.20/month per GB extra.
The problem is that, despite the synchronization of documents between Dynamics and SharePoint being automatic, there is no automatic synchronization of permissions.
If you have a small structure and not that much of sensitive data, you can consider doing this permissions sync manually using SharePoint's permissions management options. You would need to set up SharePoint folder permissions individually, that is why this is only an option if the structure is small. It is also important to note that SharePoint permissions levels do not have direct correspondence from Dynamics permission levels, so this is not as straightforward as you might hope. Do take that into consideration when you decide to manage SharePoint permissions yourself.
If your structure is not best described as small, the best option is to use an add-on such as CB Permission Replicator. The problem is that even if you use such a tool, if you have a large number of users (or even a not so large number of users but a large number of documents), you will be massively using unique items permissions and you will reach the 50,000 limit… it is just a matter of when.
What does Microsoft say?
This limit is officially presented by Microsoft. It is referred to as a "Security scope" limit for lists and libraries. You can find this in the documentation for SharePoint 2010, SharePoint 2013 and SharePoint 2016 and 2019.
It is explicitly mentioned that "As the number of unique permissions in a list grows, query performance will degrade. Even though the default limit is 50,000 unique permissions, you might want to consider lowering this limit to 5,000 unique permissions.". Microsoft also indicates that "If you try to declare unique permissions after this limit has been reached, you will be blocked from doing so.".
What can I do?
Now let's talk about possible solutions and workarounds.
The first and most obvious option would be to reduce the number of documents. Unfortunately, this not really an option for most organizations. Documents cannot simply disappear overnight.
The second option would be storing documents elsewhere. The problem with this option is that it either results in a loss of functionality (plus a loss of productivity as you will have to have your users change the way they do things) or in significant extra costs. Or both 😊
The third option is organizing your documents differently. The limit is set per list / library, so if you have more libraries you are less likely to hit the limit. The problem with this (why is there always a problem?) is that it is hard to do it manually. Moreover, you need your users to cooperate with you. Otherwise, you might end up with a library structure no one understands, and no one can keep up…
The good news is that if you have your documents coming from Dynamics this can be done automatically by using CB Permissions Replicator + the add-on SharePoint Structure Creator. SharePoint Structure Creator puts documents into different document libraries which are automatically created according to the rules you configure. The available options are:
• A document library per period (year, quarter, month, week, day or custom)
• A document library per letter or letter set (based on starting character(s) of the record name or the starting character(s) of the record ID)
• A document library per record
The library creation is done using a privileged user that you set up during configuration. This means the end user does not need to have any special permissions in SharePoint.
After this simple (but powerful!) configuration is done, everything is automatic. The only thing your users will see is the library organization. Even the library organization is only visible if the users are in SharePoint. If they are inside Dynamics, they won't even see that. It will look to the user as a perfectly normal Dynamics document… and that's a good thing!
It is important to note that this solution is available both for self-hosted environments and through Microsoft Azure Deployment and that there is a wide array of supported systems:
• CRM 2011, CRM 2013, CRM 2015, CRM 2016, Dynamics 365, Dynamics 365 Online
• SharePoint 2013, SharePoint 2016, SharePoint 2019, SharePoint Online
The add-on communicates with both SharePoint and Dynamics using the Connect Bridge platform. This means it all goes via the REST API.
How do I get started with SharePoint Structure Creator?
The first thing you need is CB Permissions Replicator. You can get a free trial for it, which can be self-hosted or deployed on Azure. More information on deployment options is available here.
SharePoint Structure Creator is an add-on to CB Permissions Replicator. Simply add on the trial request form that you are interested in this add-on. This way you'll get all the relevant information on how to install the add-on.
You can have a look at the pricing information and then just follow the easy steps found at the online documentation.
Then you can rest assured that this is a problem you won't ever have to worry about again. Connecting Software ensures the forward compatibility of this solution, so even when you upgrade your infrastructure, you are still covered!
What else can I use SharePoint Structure Creator for?
SharePoint Structure Creator is an elegant solution for the unique permissions limit, but it can also be used just for organization purposes.
If although the documents are coming from Dynamics, your users tend to go to the documents on the SharePoint side, it does help a lot to have a decent library structure… and one that you do not need to maintain yourself 😊
The MS limit for custom permissions is 5,000 not 50,000 as per MS documentation site:
Unique security scopes per list or library – 5,000. For large lists, design to have as few unique permissions as possible.
Thank you for your relevant comment. 5,000 is, in fact, the limit for SharePoint Online. The limit mentioned in our article is for the on-premises version.
The documentation says 5000 the reality is, that it is still 50.000 possible.