* Break permission inheritance as infrequently as possible.
* Use groups based on folder membership to assign permissions - Do not use SharePoint groups to assign permissions to sites.When a SharePoint group is used to assign permissions, a full crawl of the index occurs. Instead, we recommend adding Active Directory Domain Services (AD DS) groups.
* Assign permissions at the highest possible level. As part of this strategy, consider the following techniques:
- Put documents that require unique Permissions in document libraries that are defined to support that Permissions.
Use different document publish levels to control
access. Before a document is published, the advanced permissions and
versioning settings can be set for users who can only approve items in
the document library.
- For non-document libraries (lists), use the ReadSecurity and WriteSecurity permission levels. When a list is created, the owners can set the Item-level permissions to either Read access or Create and Edit access.
* Ensure that you do not have too many items at the same level of hierarchy in the document libraries, because the time that is required to process items in the views increases.
* There is a built-in limit of 50,000 scopes (unique permissions) per list or document library. After 50,000 scopes are reached addition of new scopes in a given list or document library is prohibited.
* Only set unique scopes on parent objects such as folders.
* Do not create a system with many uniquely-permissioned objects below an object that has many scopes.
* If your business requires more than 50,000 uniquely permissioned items in a list or document library, then you must move some items to a different list or document library.