TransWikia.com

How to fix insufficient access rights on cross-reference id?

Salesforce Asked by D-Horse on February 23, 2021

I am getting the error:

INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY, insufficient access rights on cross-reference id: []

Scenario is, I am inserting an Opportunity and then Opportunity Line Item from a VisualForce page using controller. When I am doing this I am logged in as user whose profile license is “Authenticated Website”.

Strange thing is, when on another org logged in as user whose user profile license is Customer Portal Manager the same code work fine. Both orgs have Opportunity OWD “Read Only” and Opportunity line item “Controlled By Parent”.

To resolve this problem I’ve used “without sharing” on class which executes the insertion code, and it works fine from “Authenticated Website” user. As this may be a security issue when we try to list the app on AppExchange, is there any other way to resolve this problem?

3 Answers

I got this error while creating a record for object X which has mater detail to account and contact, I saw that the sharing setting says that permissions on objects X depends on the permissions of parents, and parents (account and contact) in my case did not have modify all access, as soon as I added modify all access I was good.

Answered by Aanchal Bhatia on February 23, 2021

The error happens when you're trying to insert/update the record which can't be logically inserted/updated.

So basically make sure that:

  • you don't insert/update a record that does not exist,
  • you don't update object field that is build-in/read-only,
  • you perform the action using the user who has not the right access to modify the object

More detailed explanation:

This error was causing a lot of pain in a Salesforce integration that we have. It seems like a permissions issue on first look. But it's sort of misleading. Even a System Administrator can get this error.

So after researching a lot, this was what I found:

The error is throw when you try to insert/update something that logically cannot be inserted/updated.

Some examples:

  • You try to update a record that does not exist. Maybe the record was never there or it was deleted.

  • You try to update an object field that cannot be set explicitly. These fields can only be updated by the implicitly. e.g.: object owner, CreatedById, CreatedDate, LastActivityDate, LastModifiedById, LastModifiedDate. You cannot explicitly update these fields.

  • You are trying to give permission to someone but you yourself do not have permission for this.

  • If you are trying to share "Record X" with "User Y" and you yourself do not have access to "Record x", this error happens Or if the "User Y" already has access to it.

These are just a few reasons you can get the salesforce error INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY; I am sure there are others.

Source: http://blog.daksatech.com/2012/10/salesforce-error-insufficientaccessoncr.html

Answered by kenorb on February 23, 2021

According to the license documentation:

http://login.salesforce.com/help/doc/en/users_understanding_license_types.htm

"Users with this license have read and create access on ideas and questions and answers, and read-only access to documents, knowledge, price books, and products" - plus you can access custom objects.

I'm surprised that you can insert an opportunity with a customer portal user, as the docs say that this functionality should only be available for Partner Portal users. That said, I have found that I do have capabilities that I shouldn't have with Authenticated Website Licenses, but I avoid using these in production in case its down to a bug that gets fixed and thus breaks my code.

Without sharing means that the code will run in the context of a system user, disregarding permissions and sharing rules associated with the currently logged in user. However, I'd expect the license type of the logged in user to be retained through the life of the transaction - it has been in similar situations I've found.

Given that what you are trying to do shouldn't be allowed through the license type, I'd be quite nervous about putting this out on the app exchange for a couple of reasons in addition to the security review:

  1. Anyone installing the package could technically be in breach of their license agreement
  2. If you are relying on a loophole/bug and that gets closed, your package will suddenly stop working with no warning.

At the very least I'd make sure that the end users understood that I was providing functionality that the license shouldn't support.

Answered by Bob Buzzard on February 23, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP