Solve Item-Level Permission Performance Problems in SharePoint

The Solution

Follow this process to solve the item-level permissions problem:

1. Create your new document library and elect to copy and then stop inheriting permissions from the parent site (see Figure 1). Because you're going to handle security at the folder level, that will work fine.



Figure 1. Breaking Permissions: Here's how you break permissions (stop inheriting parent permissions) on a document library.


2. Clear out the permissions in your new library, which will have inherited permissions from its parent site. You can do this manually or by calling the BreakRoleInheritance API function. Either way, this operation might be a little slow if you have a lot of permissions set at the site level.
3. Create a new folder in your library called BlankFolder and break its permissions as shown in Figure 1. Because you've already cleared the library's permissions, the new BlankFolder folder should now have zero permissions.
4. In your import process, create a new folder within BlankFolder, called BlankFolder2 and break its permissions. Then use the MoveTo function in the API to move the new folder to the base level of your library. Finally, rename it to something descriptive (a customer ID works well for this example).

The code should look something like this:

SPFolder blankFolder;
// either get or create a blank folder
try
{
   blankFolder = workingFolder.SubFolders[
      "BlankFolder"].SubFolders["BlankFolder2"];
}
catch (ArgumentException) // if blankfolder2 does not exist…
{
   blankFolder = workingFolder.SubFolders[
      "BlankFolder"].SubFolders.Add("BlankFolder2");
   blankFolder.Item.BreakRoleInheritance(true);
   blankFolder.Update();
}
//Now move the new folder to the base level of the 
//doc library and rename it
SPList tmpList = ParentWeb.Lists[
   rootFolder.ContainingDocumentLibrary];
blankFolder.MoveTo(_sharePointLibrary + "\\" + 
   subFolderName);
tmpList.Update();

5. Grant permission to this new folder to the appropriate customer. Keep in mind this will automatically add a "limited access" permission for the customer to the document library's access control list, because the customer needs access to something at a lower level in the library (the new folder). That's why you needed the top-level BlankFolder with zero permissions from step 3—it acts as the parent for new folders, ensuring that SharePoint doesn't have to copy all the limited-access permissions from the top level library, only the permissions from BlankFolder.

Here's some example code that assigns permissions to a new folder:

SPRoleAssignment assgn = new SPRoleAssignment(
   groupName, null, groupName, null);
assgn.RoleDefinitionBindings.Add(roleDef);
item.RoleAssignments.Add(assgn);
item.Update();

That should do it! Your users should be able to access the documents without performance issues, and the import process should work at an acceptable speed as well.

As you've seen, creating item-level permissions in SharePoint can be tricky, but if you're careful, they can be an effective tool for meeting business requirements. The trick described in this article is a good one to keep in your back pocket in case you ever need it!