I have 2 parts to my question. If I have a Document library with 10K documents, and all documents set to inherit permissions from the library which itself has explicit ACL comprising 500 users (i.e. the library does not inherit security from the site), then:
- Is the ACL replicated in SharePoint's database per document that is set to inherit security.
- If I add another user on the list, would SharePoint in its underlying implementation need to add that user further to 10K document ACLs.
If the answer to 1) is NO, then the answers to 2) would perhaps be NO itself, still wanted to be sure and thus listed them out separately.
The reason this is important for us is:
- We would have lots of users on a DL and lots of documents in the DL inheriting security. If the same is replicated per document, it means increased storage space would be needed.
- The security would be updated frequently on the DL via SP api calls. If it needs replication per document, we would need to factor-in the time needed for the same while making api calls.
As per my own research, the ACL is not replicated for objects inheriting security in SharePoint.
ACL afaik is stored in Perms + RoleAssignment tables in SharePoint's content database. Perms contains an entry only for objects not inheriting security from parent (identified by ScopeId column) and RoleAssignment contains roles for ScopeIds in Perms table.
So effectively if an object is inheriting security, it won't have ACL entries defined in the database. I wrote a blog post with further insights into my research in the same context here: https://imbibe.in/blog/2018/01/08/permission-storage-sharepoints-database/