Permissions and performance
We have a solution based on SharePoint were we have around 4000 items on 2 lists. Each item has unique permissions. There are about 300
users in the system, to each item 6-7 users and 6 SharePoint groups have the permissions assigned (read permissions). Unfortunately, when we have assigned the permissions, we did not delete all the “Limited access” settings that were inherited
from the list (around 300 entries). We started to have severe performance problems – each list query took about 1,5 second. Since we are doing some calculations and item modifications, we have a lot of list queries in our code. When we took a look at
the SQL queries we saw that there are around 750 thousand role assignments on each list, which in our opinion are causing such long query times. We have turned on permission inheritance on all items, but that did not help – the number of role assignments
did not drop.
Has anyone ancountered a similiar issue and knows what can cause this behavior?
April 29th, 2010 4:25pm
Complex and/or granular security might not be the only cause for the performance issue. Other factors include the hardware, network, active directory, number of items in a view, etc. Has the same list been tried on the same environment without security?
Free Windows Admin Tool Kit Click here and download it now
April 30th, 2010 3:36am
Here is an article on SharePoint ACL hard limits and best practice which I think you may have already read:
http://weblogs.asp.net/erobillard/archive/2008/09/11/sharepoint-security-hard-limits-and-recommended-practices.aspx
The recommended practice which is relevant to your case includes:
·
If many securable objects share the same ACL, then group them into a container with that ACL.
·
The more ACLs you create, the more ACLs you have to manage
Since your AS-IS situation is that you had setup fine-grained permission (Each item has unique permissions)
which is not recommended, It may cause performance issue as you are experiencing.
Here I found an article on security data model:
http://kjellsj.blogspot.com/2008/10/sharepoint-acls-roledefinitions.html
;
And searching with keywords “alluserdata acl” in MSDN
http://social.msdn.microsoft.com/Search/en-US?query=alluserdata%20acl&ac=8
, I get this: http://msdn.microsoft.com/en-us/library/dd340769(PROT.13).aspx
. It says the ACL is stored as image type in database.
That’s all I have found so far. Could you please share with us more of your finding with database performance measuring tools to get the
long running query in T-SQL or Blocking detected?
Gu Yuming
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com
April 30th, 2010 7:43am
Hi spq,
resetting will increase the number of entries in the roleassignments list if you had removed the limmited access permissions from the items when they had their own assignments. If you turn inheritance back on the roleassignments for the listitems will
inherrit all the entries with limited asscess from the parent list since they are not deleted when inheritance is reactivated.
If you want to reduce the number of entries in that list you would have to remove all permissions from the list and rebuild them because by deleting an entry and adding it back you remove the limited access permission for that user or grop which was
there because of the broken inheritance.
best regards
MOSS_Test_Dummy
Free Windows Admin Tool Kit Click here and download it now
April 30th, 2010 8:53am