Differences between Item Level Permissions and Item Level Security?
https://sharepoint.stackexchange.com/questions/173845
-
08-10-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPergunta
The term Permissions is used in multiple places, with different meanings
Item Level Permissions:
Set in: List Settings -> Advanced settings:
(note: you CAN set this for Libraries, not through the UI, only with code)
Item Level Security
In many blogs (like this one) this IS called Item Level PERMISSIONS
Set in: List Settinngs -> Permissions for this List
- Break Role Inheritance on a List/Library
- Assign (custom) Permission Profile
documentated limitations (Item Level SECURITY):
(march 2013) Software Boundaries and Limits: Unique Permissions
(october 2015)Thresholds and Metadata
From Office Support:
Question
With List Settings->Advanced Settings->Item-Level Permissions you do NOT BREAK inheritance of permissions
Does using these Item Level Permissions have influence on the 50,000 threshold?
does this setting (ILPermission, not ILSecurity) create a "Security Scope"?
https://technet.microsoft.com/en-us/library/cc262787.aspx?f=255&MSPPError=-2147217396
says:
The maximum number of unique security scopes set for a list cannot exceed 50,000. For most farms, we recommend that you consider lowering this limit to 5,000 unique scopes. For large lists, consider using a design that uses as few unique permissions as possible. When the number of unique security scopes for a list exceeds the value of the list view threshold (set by default at 5,000 list items), additional SQL Server round trips take place when the list is viewed, which can adversely affect list view performance. A scope is the security boundary for a securable object and any of its children that do not have a separate security boundary defined. A scope contains an Access Control List (ACL), but unlike NTFS ACLs, a scope can include security principals that are specific to SharePoint Server 2013. The members of an ACL for a scope can include Windows users, user accounts other than Windows users (such as forms-based accounts), Active Directory groups, or SharePoint groups.
In my understanding
ILP is just like a View with a [Me] filter, the setting only ensures queries by a user (other then the Owner of the List) can never get/set other then his own Items.
The Item itself is not secured (the Note "Users with Cancel Checkout permissions can read and edit all item" is a clear indication)
The List (and not the Item) IS the Security Scope.
Since it its a similar concept like the [Me] filter I would assume it has nothing to do with Security or Threshold values.
Solução
I'm not quite sure about your understanding. So i make a test scenario
For 2nd question, I assume "Security Scope" means record in table "Perms" of content database. I've studied SharePoint content database in long time so I'm sure each broken permission (item, web, list, etc.) corresponds with 1 record in "Perms" table. And the number of records in "Perms" table isn't changed when I change List Settings -> Advanced settings -> Item-level Permissions settings.
For 1st question, based on answer of 2nd question, I think List Settings -> Advanced settings -> Item-level Permissions settings does NOT have any impact to Unique Item Permission threshold. But for sure, I have created 50,000 items in one list and broke permission for all of them. After that, i created 1 more item and I saw that List Settings -> Advanced settings -> Item-level Permissions settings does not depend to "50001st item cannot be broken permission". The exception message is "You cannot break inheritance for this item because there are too many items with unique permissions in this list.".
I agree with you about List Settings -> Advanced settings -> Item-level Permissions settings, it's only list setting.
