Microsoft has long used the same “object oriented” approach to security within its various “object namespaces”. SharePoint is no different.
A… what is an “object namespace” you ask?
The Microsoft platform of integrated applications has layers. Each layer is an “object namespace”. For example, starting at the following diagram illustrates the concept.
Microsoft Object Namespace Stack
Each layer is like a database. In fact, my long held view has been that the Microsoft platform of integrated applications is nothing but a whole bunch of interrelated databases, each with its own set of objects. Let’s take a simple one like the File System. The File System has three main “objects”
Volumes Folders FilesEach of the above namespace objects has its own Access Control List (ACL) containing individual Access Control Entries (ACE) that determine who can do what with and to an object, like a Volume, Folder, or File.
The second thing to understand is how a Microsoft Operating System processes an application like SharePoint’s request for given a user access to an object within its own object namespace. Granting or denying access to an object is a two part process:
the Operating System does one initial pass to compare the user’s Security Access Token IDs (User and Group) against the Objects Access Control List entries and extracts all of the matches to create a temporaryaccess table which may or may not grant access it then does a second pass to validate and verify that the user can do what they want to dowith the object in question (ie: librarydocument or list item)What do you think happens when the object’s Access Control List is full of hundreds or thousands of Access Control Entries? It slows the validation and verification process down. And the larger the Access Control List the longer that process takes.
So how does this relate to the SharePoint object namespace?
Remember that every SharePoint namespace object, including Site Collections, Sites, Libraries, Lists, Documents, and Items, each have their own individual Access Control List. If you start using Unique Permissions (non inherited Access Control Entries)on these objects over time the Access Control List gets verylarge with many entries because no one ever removes the old ones. Gradually over time it takes longer and longer and longer to access these objects because of the two phase process for object access validation and verification.
The Best Practice, not just with SharePoint but with all Microsoft Object Namespaces, is to keep the Access Control List assmall as possible so that the access validation and verification process is as fast as possible. In Article 2 I will demonstrate how to achieve this Microsoft recommended best practice.
image sources
Microsoft Object Namespace Stack: Arnold Villeneuve