insufficient access rights on cross reference id

How to Debug Insufficient Access Rights on Cross Reference Id Error

If you or another user are inserting or updating data records in Salesforce and the ‘insufficient access rights on cross reference id’ error appears, then it may become an inconvenience if you are not able to find the root cause and resolve this issue.

We have faced this issue multiple times and realised the need of a comprehensive guide to help debug and fix this error in a timely manner.

Why do you get this Error?


First things first, why does it happen? The simple reason is that it is related to access rights of the user doing the data insert/update activity.

If a user doesn’t have the right level of access to perform the operation then Salesforce stops the creation or update of the record and displays this error.

It occurs because a Salesforce ID on the data insert or update call points to a record that the user doesn’t have access to. If you receive this error, then you will first need to identify and then modify the access rights so that it will successfully complete during the next attempt.

How to Debug it?

A very simple way to identify the cause of ‘insufficient access rights on cross reference id’ is to look at all the IDs in your insert/update call.

  1. The main Salesforce Record ID being used for an update call on the record.
    1. Make sure the record exists.
    2. Make sure you have the record isn’t deleted.
    3. Make sure the ID is correct.
  2. The Record Type ID is correct.
  3. The IDs to lookup object records in that call are correct and you have access to it.
  4. The Owner ID is being changed to a user who does not have access to this record or does not have access to the record type of that record.

Lets now jump into the common causes and how to fix them.

Common Causes and Fix

There are a few documented reasons that can tell you why the data operation failed. Some of these are:

Scenario: When creating a record and attempting to assign it to a new user in the same call
Possible Cause: Create a record first, and in a separate call update the record with a new OwnerId.

Scenario: The record type Id is not a valid record type id for the object that is being manipulating.
Possible Cause: Correct the Record Type Id.
Scenario: Assign a record to a user who does not have profile access to the record type.
Possible Cause: Add profile access to the used record type.
Scenario: Assign a record to another user but assigning user’s profile does not have access to the record type.

Possible Cause: Add Record Type to your user profile.

Scenario: Assign a record to a Partner Portal user and the user does not have access to Internal Salesforce.
Possible Cause: Add a NetworkScope column including the ID for the Community you are working with.

Scenario: A lead submission invokes an auto-response e-mail notification, but the e-mail template used in the response is contained in a folder to which the user does not have access.
Possible Cause: Find which e-mail template is invoked in the auto-response rule; check the folder permissions for the folder that contains this e-mail template; ensure that the user making the API call has permissions to access this folder.



If none of the above scenarios apply to you, then consider raising a case with Salesforce Support so that they can guide and help you debug and resolve this issue.