Find your content:

Search form

You are here

How to fix insufficient access rights on cross-reference id?


I am getting the error:

INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY, insufficient access rights on cross-reference id: []

Scenario is, I am inserting an Opportunity and then Opportunity Line Item from a VisualForce page using controller. When I am doing this I am logged in as user whose profile license is "Authenticated Website".

Strange thing is, when on another org logged in as user whose user profile license is Customer Portal Manager the same code work fine. Both orgs have Opportunity OWD "Read Only" and Opportunity line item "Controlled By Parent".

To resolve this problem I've used "without sharing" on class which executes the insertion code, and it works fine from "Authenticated Website" user. As this may be a security issue when we try to list the app on AppExchange, is there any other way to resolve this problem?

Attribution to: D-Horse

Possible Suggestion/Solution #1

According to the license documentation:

"Users with this license have read and create access on ideas and questions and answers, and read-only access to documents, knowledge, price books, and products" - plus you can access custom objects.

I'm surprised that you can insert an opportunity with a customer portal user, as the docs say that this functionality should only be available for Partner Portal users. That said, I have found that I do have capabilities that I shouldn't have with Authenticated Website Licenses, but I avoid using these in production in case its down to a bug that gets fixed and thus breaks my code.

Without sharing means that the code will run in the context of a system user, disregarding permissions and sharing rules associated with the currently logged in user. However, I'd expect the license type of the logged in user to be retained through the life of the transaction - it has been in similar situations I've found.

Given that what you are trying to do shouldn't be allowed through the license type, I'd be quite nervous about putting this out on the app exchange for a couple of reasons in addition to the security review:

  1. Anyone installing the package could technically be in breach of their license agreement
  2. If you are relying on a loophole/bug and that gets closed, your package will suddenly stop working with no warning.

At the very least I'd make sure that the end users understood that I was providing functionality that the license shouldn't support.

Attribution to: Bob Buzzard

Possible Suggestion/Solution #2

The error happens when you're trying to insert/update the record which can't be logically inserted/updated.

So basically make sure that:

  • you don't insert/update a record that does not exist,
  • you don't update object field that is build-in/read-only,
  • you perform the action using the user who has not the right access to modify the object

More detailed explanation:

This error was causing a lot of pain in a Salesforce integration that we have. It seems like a permissions issue on first look. But it's sort of misleading. Even a System Administrator can get this error.

So after researching a lot, this was what I found:

The error is throw when you try to insert/update something that logically cannot be inserted/updated.

Some examples:

  • You try to update a record that does not exist. Maybe the record was never there or it was deleted.

  • You try to update an object field that cannot be set explicitly. These fields can only be updated by the implicitly. e.g.: object owner, CreatedById, CreatedDate, LastActivityDate, LastModifiedById, LastModifiedDate. You cannot explicitly update these fields.

  • You are trying to give permission to someone but you yourself do not have permission for this.

  • If you are trying to share "Record X" with "User Y" and you yourself do not have access to "Record x", this error happens Or if the "User Y" already has access to it.

These are just a few reasons you can get the salesforce error INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY; I am sure there are others.


Attribution to: kenorb
This content is remixed from stackoverflow or stackexchange. Please visit

My Block Status

My Block Content