Sladescross's Blog

Blogging about Sharepoint related stuff

Item Level Permissions Performance Problem March 19, 2010

After breaking permissions you can call the BreakRoleInheritance function in the SharePoint API to clear out the copied parent permissions, setting its CopyRoleAssignments flag to false. However, the API does not do a mass delete of the permissions; instead, it iterates through the permission list, deleting them one by one. For example, if you have 5000 folders, it will need to delete 5000 permissions—one by one—in your new item’s access control list. That’s because each customer needs a “limited access” permission to the top-level library, which tells SharePoint that the user has permission to something at a lower level (i.e., a document or a folder). In the single-library-multiple-folder strategy, each new customer would have “limited access” permission to the top-level library and each new item would automatically copy down those limited access permissions from the library when the item was created. If you do the math, 4000 items * 4000 limited-access permissions per item equals 16 million unnecessary limited access permissions!

With that background under your belt, here’s the process:

Follow this process to solve the item-level permissions problem:

A.Create your new document library and elect to copy and then stop inheriting permissions from the parent site. Because you’re going to handle security at the folder level, that will work fine.
B.Clear out the permissions in your new library, which will have inherited permissions from its parent site. You can do this manually or by calling the BreakRoleInheritance API function. Either way, this operation might be a little slow if you have a lot of permissions set at the site level.
C.Create a new folder in your library called BlankFolder and break its permissions. Because you’ve already cleared the library’s permissions, the new BlankFolder folder should now have zero permissions.
D.In your import process, create a new folder within BlankFolder, called BlankFolder2 and break its permissions. Then use the MoveTo function in the API to move the new folder to the base level of your library. Finally, rename it to something descriptive (a customer ID works well for this example).

SPFolder blankFolder;
// either get or create a blank folder
blankFolder = workingFolder.SubFolders[
catch (ArgumentException) // if blankfolder2 does not exist…
blankFolder = workingFolder.SubFolders[
//Now move the new folder to the base level of the
//doc library and rename it
SPList tmpList = ParentWeb.Lists[
blankFolder.MoveTo(_sharePointLibrary + "\\" +

About these ads

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 63 other followers