When a security principal is added to the scope of an item with unique permissions, the security principal is immediately added with the Limited Access permission level to each unique permission scope in the hierarchy above the item until a parent Web with unique permissions is located.
The reason for adding the user to the scopes with Limited Access is to allow enough access to the object hierarchically above the uniquely permissioned item so that the Object Model (OM), master pages, and navigation can render when the user attempts to navigate to the item. Without the Limited Access permissions at the parent scopes, the user would not be able to successfully navigate to or open the item that has unique permissions.
The following diagram shows how the hierarchical depth of scopes can affect the amount of work required to add Limited Access users to parent scopes. The larger the number of unique scopes above the item, up to and including the uniquely permissioned Web, the larger the number of additions that must occur. The diagram shows a simplified representation of a physical structure that has unique scopes defined at every level from the Web down to individual items. As in the previous diagram, each differently numbered gold hexagon represents a unique permission scope, and all child objects within that container inherit from that scope unless they have their own unique permissions scope. The chain of Limited Access promotion is shown using red arrows.
The diagram also includes the set of unique scopes along with the Limited Access membership additions that must occur on each parent scope, represented by separate boxes within the scope. No additional programming is required to add unique scopes whenever a security principal is added to an object scope with unique permissions that is below a Web with unique permissions.
When a security principal with the Limited Access permission level is added to a parent scope, no check is made to see whether the security principal is already in the parent scope. A security principal that already has access to the parent scope is added again with Limited Access permissions, regardless of its existing permissions on the parent scope.
When a security principal is removed from the Limited Access permission level at a parent scope, each instance of that security principal within every child scope is removed from the Limited Access permission level, regardless of whether the security principal has Limited Access or a wider set of permissions at the child scopes.