none
Search performance and process for disinherited security RRS feed

  • Question

  • If I have 4 Libraries each with 1000 documents....and if one document in each of the 4 libraries has dis-inherited security, do all 4000 documents now need to be crawled via search since one document in each library has document level permissions?

    ...or is the crawl only having to look at those 4 documents that now have "edited permissions" flags and only those 4 have to be security scoped for search results?

    This is our concern on search performance.

    Wednesday, October 29, 2014 6:21 PM

Answers

  • No performance metrics that I can quote.  But doing a full security scan takes a fraction of the time it takes to do a full crawl.  In fact every time you add a new user to a site or to a SharePoint group it will flag that site for a full security scan the next time the site gets crawled.  So in many environments it happens all the time in the middle of the day when doing regular incremental crawls without a serious performance effect.  This is essentially the same case.  This is a quote from the Best practices for crawling in SharePoint Server 2013 article here:

    http://technet.microsoft.com/en-us/library/dn535606(v=office.15).aspx#BKMK_UseADGroups

    The ability of a user or group to perform various activities on a site is determined by the permission level that you assign.  If you add or remove users individually for site permissions, or if you use a SharePoint group to specify site permissions and you change the membership of the group, the crawler must perform a "security-only crawl", which updates all affected items in the search index to reflect the change. Similarly, adding or updating web application policy with different users or SharePoint groups will trigger a crawl of all content covered by that policy. This increases crawl load and can reduce search-results freshness. Therefore, to specify site permissions, it is best to use Active Directory Domain Services (AD DS) groups, because this does not require the crawler to update the affected items in the search index.


    Paul Stork SharePoint Server MVP
    Principal Architect: Blue Chip Consulting Group
    Blog: http://dontpapanic.com/blog
    Twitter: Follow @pstork
    Please remember to mark your question as "answered" if this solves your problem.

    • Marked as answer by Lindali Friday, November 7, 2014 8:18 AM
    Wednesday, October 29, 2014 9:41 PM

All replies

  • First, the search crawl can crawl documents just to pick up changes in security.  That is much faster than crawling the documents to completely re-index them.  So even if it re-crawls the ACLs on every document it shouldn't cause a major impact on your search performance since it won't re-crawl the content on all of them if the only change is to security.  But yes, I do think it will re-crawl the security for the whole document library.

    Paul Stork SharePoint Server MVP
    Principal Architect: Blue Chip Consulting Group
    Blog: http://dontpapanic.com/blog
    Twitter: Follow @pstork
    Please remember to mark your question as "answered" if this solves your problem.

    Wednesday, October 29, 2014 7:25 PM
  • Hi Paul...thank you for the reply!

    Any performance metrics out there on document level permissions?

    Reason I ask about metrics is if a manager needs to have a "warm fuzzy" on 500 libraries that contain 5000 documents each (this is a real world example we are going to see in our 2013 environment), having document level permissions isn't going to bring the search to it's knees b/c now 2,500,000 documents in the farm have to be re-crawled for ACLs to be updated.

    I realize that not all 500 libraries (at the same exact time) will get document level permissions set on them, but with our very dynamic SharePoint environment, document level permissions (because of the document sensitivity due to not only the information but timing in our processes) will be changing very often.

    Wednesday, October 29, 2014 7:42 PM
  • No performance metrics that I can quote.  But doing a full security scan takes a fraction of the time it takes to do a full crawl.  In fact every time you add a new user to a site or to a SharePoint group it will flag that site for a full security scan the next time the site gets crawled.  So in many environments it happens all the time in the middle of the day when doing regular incremental crawls without a serious performance effect.  This is essentially the same case.  This is a quote from the Best practices for crawling in SharePoint Server 2013 article here:

    http://technet.microsoft.com/en-us/library/dn535606(v=office.15).aspx#BKMK_UseADGroups

    The ability of a user or group to perform various activities on a site is determined by the permission level that you assign.  If you add or remove users individually for site permissions, or if you use a SharePoint group to specify site permissions and you change the membership of the group, the crawler must perform a "security-only crawl", which updates all affected items in the search index to reflect the change. Similarly, adding or updating web application policy with different users or SharePoint groups will trigger a crawl of all content covered by that policy. This increases crawl load and can reduce search-results freshness. Therefore, to specify site permissions, it is best to use Active Directory Domain Services (AD DS) groups, because this does not require the crawler to update the affected items in the search index.


    Paul Stork SharePoint Server MVP
    Principal Architect: Blue Chip Consulting Group
    Blog: http://dontpapanic.com/blog
    Twitter: Follow @pstork
    Please remember to mark your question as "answered" if this solves your problem.

    • Marked as answer by Lindali Friday, November 7, 2014 8:18 AM
    Wednesday, October 29, 2014 9:41 PM