Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
All errors
Security

INSUFFICIENT_ACCESS_OR_READONLY: insufficient access rights on cross-reference id

The running user can see the record they're trying to update, but doesn't have edit access to it (or to a record it depends on). The error message looks scarier than it is — usually a sharing problem on the parent, not anything wrong with the SQL.

Also seen asINSUFFICIENT_ACCESS_OR_READONLY·insufficient access rights on cross-reference id·INSUFFICIENT_ACCESS_OR_READONLY: insufficient access

The phrasing is unhelpful. Insufficient access and readonly are bundled into one error code, and "cross-reference id" sounds like a foreign-key issue but really just means "a related record."

What the platform is telling you: somewhere in your save, the running user lacks edit permission on a record. It's almost always one of three things.

Three places to look, in order

1. The record you're updating

The most direct cause. Check:

  • Object permissions — the user's profile/permission set has Edit on the object?
  • Field-level security — Edit on every field you're updating?
  • Sharing — does the user actually have Edit on this specific record? Owner, role hierarchy, sharing rules, manual share, or apex managed share?

Open Setup → Sharing Settings, then the Sharing Settings for the object. If org-wide default is Public Read-Only and the user isn't in the role hierarchy of the owner, they won't have Edit.

2. A parent referenced by a relationship field on the record

When you update a record that points at a parent (master-detail or lookup with "Read access required"), the platform also validates the user can access the parent. A user might be able to edit the Opportunity but not its Account — the API throws this generic message even though the failure is on the parent's read access.

Diagnose: log the relationship fields you're touching, and verify access on each parent ID.

3. The user is a Community / Experience Cloud user

Community users have a more restricted sharing model. Two specific gotchas:

  • Sharing Sets apply to standard objects only; custom-object sharing for Community users uses Sharing Rules + Account Relationships.
  • Customer Community Plus users have role-based hierarchy access; Customer Community users do not. A flow that worked for the first license fails for the second.

A subtler cause: with sharing vs without sharing

If you have an Apex class running without sharing and it does an update, the platform applies system-level access. But if that update is to a record that a downstream trigger (running with sharing) tries to query and update, the trigger may fail with this error even though your top-level method "worked."

Check the entire chain:

public with sharing class WhatYouWrote { ... }
//                ^^^^ implicit on Lightning AuraEnabled methods

To inherit the caller's sharing rules through a chain, use inherited sharing on shared utility classes; then the most-restrictive caller wins.

Real diagnostic

SObjectType t = Account.SObjectType;
DescribeSObjectResult d = t.getDescribe();
System.debug(
    'isUpdateable=' + d.isUpdateable()
    + ' isAccessible=' + d.isAccessible()
);

// Field-level:
System.debug(Account.Description.getDescribe().isUpdateable());

If isUpdateable returns false at object level, you have a profile/permission-set problem. If field-level is the issue, you'll get this error specifically when that field is in your update list.

Related dictionary terms