"It is a best practice to not break the inheritance as much as possible"

It will eventually impact the search performance as your list grows. Limiting number of users to a group and add groups may be helpful in your case. You should prefer to do a round testing with N set of users/groups and measure the impact before deciding to take this approach to production system. 

Huge number of users/groups without inheritance can even cause acl trackers to fail as well due to heavy payload being sent to solr nodes. 

 @angelborroy   @afaust  Can provide better details

Hi @abhinavmishra14, could you please explain me better what you mean by "Huge number of users/groups without inheritance can even cause acl trackers to fail as well due to heavy payload being sent to solr nodes. "? How to identify this kind of problems?

I am in a similar situation: a lot of users/groups and low inheritance usage (Alfresco 5.2 instance with about 7 milion nodes).

Often the customer contacts us because some documents are not available in search results (Solr query).
The same query run as "admin" retrives all the expected results; it looks like the "bad" nodes are indexed but there is something wrong with ACL in Solr.

Reindexing a specific node by nodeId (https://localhost:8443/solr4/admin/cores?action=REINDEX&nodeid={nodeid}) or txid (https://localhost:8443/solr4/admin/cores?action=REINDEX&txid={txid}) solves the problem.

No errors in solr (or Alfresco) logs.

Many thanks

Huge number of users/groups without inheritance can even cause acl trackers to fail as well due to heavy payload being sent to solr nodes. "  --> When you a lot of folders/files where you have disabled the permission inheritance, then it would degrade the performance of queries

It is recommended to make more and more use of groups in this situation and add users requiring appropriate permissions to the groups. 

Write a script/webscript to find out nodes where you have disabled the inheritance, analyse and tune it accordingly. 

Admin bypasses the permissions that's why you get proper results. 

Enable following logs and see if you can find something:

log4j.logger.org.alfresco.repo.jscript.ScriptLogger=debug
log4j.logger.org.alfresco.repo.transaction.RetryingTransactionHelper=INFO
log4j.logger.org.alfresco.solr.query.AbstractQParser=DEBUG
log4j.logger.org.alfresco.repo.search.impl.solr.SolrQueryHTTPClient=DEBUG

Also have a look at this tech talk on permissions:

https://www.alfresco.com/video/tech-talk-live-think-twice-changing-permissions-demand?mkt_tok=eyJpIjoiTVRBd1lqZG1NRFEzTm1ZeCIsInQiOiJaRmxaWmtRRHJiMFV3alVIRWxwZG9iREx4TzlHdlZFekU1UUU3V0pPeWFKeWdmNVFkTGRMQUxLSk1nUjdzNmF6N0htV1IrNnprZWhVaHBKeHQ2V2hvVHAzc3NBSkNIcW9lSnJsYVNhckZKZEd2WU5kUjVzWjdwcmloYmRBWEFUeSJ9