insufficient_access_on_ cross_reference_entity APEX / Salesforce

4:23 PM

 NOTE: A common cause for this issue is the below scenario. Read on, if that's not the case for you.
 *If you are trying to share "Record X" with "User Y" and "User Y" already has access to "Record X" this error happens.


Even though i understood what this means and have dealt with it earlier, this time this error message sucked my brain for one week. Finally, i got it sorted out and i hope this post helps someone understand and solve as well.

When does this error happen?

This error normally happens when a DML operation is performed. Meaning that, whenever an Insert or Update is performed. You won't see this error when you save your APEX class or TRIGGER, because this error happens at RUNTIME.


What does this error mean?

This error means that you are trying to do an operation which is not supposed to be done, or the operation you are about to perform is not permitted according to the Sharing and Security settings defined. This error message does NOT always mean that you lack access to do the operation, even though it might be the case sometimes. So, even if you are an ADMINISTRATOR you may get this message.

Possible Causes:
Let's take some scenario's and analyze.

 Scenario 1:  Creating a new record (Account/Contact/...) and setting the Owner. Applies to updating records as well.


So, in your code you create some records. By Default the creator of the record is the Owner. You want to change this and you modify the OwnerId column of the newly created records. You make "User X" as the Owner. Now when you run the code, you get the Error below:
System.DmlException: Insert failed. First exception on row 2; first error: INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY, insufficient access rights on cross-reference id: []

Things to check:
  *Check that the running user (in this case you) has access to the object being operated. Check that he has CREATE privileges on the object. This is optional, but is always better to start from here. 
  *Check that the Owner ie User X has CREATE permission on the object. Check that his profile has the CREATE permission on the particular object. He might not be having it, grant him permission and the issue is resolved.


 Scenario 2:

Creating or Updating an Opportunity (just for an example,  might be any object). Setting the related Account of the Opportunity.


So, let's say that you create 5 Opportunities and you set the Owner to "User X". You set the Account to "Account X". When your code tries to insert these 5 opportunities, it fails and you get the same error message.
System.DmlException: Insert failed. First exception on row 2; first error: INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY, insufficient access rights on cross-reference id: []
Reason:
This is because "User X" does not have access to "Account X". When you try to create an Opportunity for "Account X" that he does not have access to the code fails. Either grant access to "User X" for "Account X" manually or through code and then do the Insert.

Scenario 3:

The Sharing Object.


This is a bit complex to get at. atleast for me. You might be aware that every object has its own Share object. So, Account has AccountShare and Customobj__c has Customobj__Share
When you insert or update records in this object you might receive the same error message. There are a number of reasons for this to happen. 

    *If you are trying to share "Record X" with "User Y" and you yourself do not have access to "Record x", this error happens.
    *If you are trying to share "Record X" with "User Y" and "User Y" does not have access to the object (the profile level permission, create read edit delete), this error happens.
    *If you are trying to share "Record X" with "User Y" and "User Y" already has access to "Record X" this error happens.


14 comments

  1. this was a great post thanks a lot

    ReplyDelete
  2. Thanks for posting this; it really helped.

    ReplyDelete
  3. Thanxs....It helps.!!

    ReplyDelete
  4. This was amazing post mate. The last line in the post(If you are trying to share "Record X" with "User Y" and "User Y" already has access to "Record X" this error happens.) helped me fix my issue .

    ReplyDelete
    Replies
    1. Hi,
      Could you please tell me how did you fix the issue here?
      Many thanks in advance.

      Delete
  5. I think this is a great post, however I'm a bit confused about the last statment:

    quote: *If you are trying to share "Record X" with "User Y" and "User Y" already has access to "Record X" this error happens.

    I was not able to reproduce that behavior in Spring'13. Maybe that's something that salesforce fixed? Also, from the help file:

    OpportunityShare Usage:
    This object allows you to determine which users and groups can view or edit opportunities owned by other users.
    If you attempt to create a record that matches an existing record, any modified fields are updated, the system returns the existing record.

    source:
    http://www.salesforce.com/us/developer/docs/api/Content/sforce_api_objects_opportunityshare.htm

    ReplyDelete
  6. Thanks so much for this! I too was running into the last issue where user Y was already the owner of record X. I thought my code was broken but everything was working just fine - just had to adjust what constituted an "error."

    ReplyDelete
  7. The last red line did the trick (I can confirm that it still occurs in Summer 13).. Amazing, and such a lame error message by SFDC for this particular scenario...

    ReplyDelete
  8. Thank you for the post. Great information. I was able to diagnose my problem with (INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY based on your description.

    ReplyDelete
  9. Great post, Thank you

    ReplyDelete
  10. Hi,

    I am receiving this error when using flow to update case record type to "X". However, manual update record type to "X" from the page layout works. Any idea?

    ReplyDelete
  11. thanks for sharing.. very useful post. cheers!

    ReplyDelete
  12. Salesforce must use this as knowledge article to resolve the issue.

    ReplyDelete

AD