The folders are only used for browsing. If you perform search, the permissions on folders are skipped. So if your user does not have READ permissions on the files, then you will need to change the ACL on those documents. If you defined system ACLs on the documents, then you just need to modify ACL definition (and not have to modify individual files). If you didnt use system ACLs and are using auto-generated ACLs, then you will have to write dfc utility/api script to modify each of the 3000 files. This is why security model needs to be developed before rolling out application to users.