1. Home
  2. Adapters
  3. Microsoft
  4. Microsoft Adapters: ACL Limits

Microsoft Adapters: ACL Limits

A very helpful article in understanding some of the ACL limits in SPO/ODFB is https://docs.microsoft.com/en-us/office365/servicedescriptions/sharepoint-online-service-description/sharepoint-online-limits#items-in-lists-and-libraries.  There are two types of ACL limits on Microsoft platforms:

  • ACL quotas
  • Number of items that have a given ACL

Understanding the implications of these limits is an essential part of planning your migration ahead of moving any data.

ACL Quota

SharePoint Online has a limit of 50,000 ACLs per document library.  For best performance on SharePoint after migration completes, Microsoft recommends that you stay below 5000 ACLs, and, in many instances, a fraction of this number.  The number of ACLs that will be applied by CFP is roughly equivalent to the number of lines in the Paths tab of the spreadsheet – but the specifics are:

  • each item (file or folder) that is shared counts as one ACL, regardless of the number of users and groups that are sharees for that item
  • if a folder is shared, that counts as one ACL, but any child items that inherit permissions from the folder do not count against the ACL quota
  • you can have a maximum of 5000 users and groups that share a given item

If a map has more than 50K lines for a given document library, you can use the ‘Ignore ACLs Below This Depth’ and ‘Ignore Permissions on Files’ settings in the Settings page of the APM map wizard.  These options are not available for all data sources, and using these options may result in giving users unintended access to data, so it’s important to understand how they work and what the full ramifications are for using them.  Note that after you change the settings, you can just click the REGENERATE Button on the Define Maps screen to just recrunch the data for the map job that has already been run, and create a smaller map.  You do not have to launch a new map generation job.

Be aware that if users are applying ACLs to data in a given account by mechanisms other than CFP, that counts toward the total number of ACLs.  Consult your Microsoft representative with any questions about the recommended number of ACLs on each SharePoint subsite and document library.

Number of Items That Have a Given ACL
The maximum number of items that can have a given ACL is 100,000.  What that means is that if you have a folder that contains more than 100,000 total files and folders (total items, and not just the immediate children), adding an ACL to the top level folder will fail because it exceeds Microsoft’s limit.  Moreover, for SharePoint sites, where the site owners, members and visitors are inherited down to the doc library contents, this can cause issues with any folder in the doc library that contains more than 100,000 items.

If you have a folder that has more than 100,000 items and attempt to apply an ACL (regardless of the number of individual users and groups in the ACL), it will fail with an error of The attempted operation is prohibited because it exceeds the list view threshold enforced by the administrator,failed to apply permissions.

Microsoft recommends that you apply ACLs to a folder before transferring any data into it.  While data will still transfer into that shared folder once it contains 100,000 items, there will an ACL error for them, and more significantly, performance for users on the SPO web app can experience significant performance degradation when they attempt to access that doclib.

If you identify a folder that has more than 100,000 items, here are some things you can do to address the limitation.

  1. Long term, the best strategy is to break the folder up into smaller pieces, and migrate it as a set of smaller folders.  support@cloudfastpath.com can show you the best way to do this.  This has the added benefit of decreasing load times for the folder contents in the SPO web app once migration has completed.
  2. Deselect the Advanced Option “Keep Parent Permissions” to prevent the site permissions from inheriting down to the folder.  You’ll need to add those permissions back for individual subfolders of the main folder so that the site users have access to it – and make sure that those subfolders each have less than 100,000 items. Move the data over in one pass, and apply the ACLs in a separate pass.
  3. Keep sharing strategies as simple as possible.  Reduced permissions on large subfolders such as these – where one or two items have reduced permissions and the other items have the same permissions as the parent – can result in exceeding the 50,000 total ACL quota.
  4. If you need to remove permissions from a document library, you can do so by the following procedure:
    1. set up an SPO to SPO job.  source and target will be the same document library where the affected files are.
    2. Select Settings from the white bordered list box on the right side of the APM job configuration.  Select ‘Transfer Contents Only’ and ‘Manage Permissions on Files.
    3. Run a map generation job and download the spreadsheet, which will list all of the permissions for the document library.  Each row in the Paths tab counts as one ACL.  Additionally, any rows in the Path Conflicts tab that are not voided out due to skips or otherwise will also each count as one ACL.
    4. Set the ‘Clear Permisssions?’ column to ‘Y’ for any permissions that you want to remove.  Delete the rows from the spreadsheet for the permissions you want to retain.
    5. Run a simulation to confirm results are as expected.  Then run the job to clear the ACLs.  Consult support@cloudfastpath.com with any questions.
Updated on January 27, 2021

Related Articles