Error overview
This Salesforce validation error may happen when you deploy Flow metadata type, or when Flow metadata is included in your deployment package and validated against the target org.
In our app, the error message reported by Salesforce would look as below:
"insufficient access rights on cross-reference id"
Explanation of the error
This validation error points to a permission issue in Salesforce, such as missing or insufficient permissions for a Salesforce user making the deployment.
In the official documentation on this issue, Salesforce explains documentation that:
"It happens when a user tries to use a Flow, save a record, or perform an action that depends on a connected record, but the user doesn’t have the required permissions to access that record.
This connected record is usually linked through a lookup field or a Master-Detail relationship. The user is attempting to use something (the connected record) they aren’t allowed to see."
This error is surfaced by Salesforce when trying to relate or deploy directly to an object that you don't have permissions to access.
Resolution
General guidance is to check the permissions on the object you are trying to relate or deploy to, and grant permissions on the objects for the Salesforce user you are deploying as.
To provide more context, Salesforce have identified six specific scenarios which may lead to this error.
Each scenario is listed in below table with a possible cause and documented resolution.
Issue | Scenario | Possible cause and/or resolution |
1 | Create a record and attempting to assign it to a new user in the same call | Create a record first, and in a separate call update the record with a new |
2 | The record type Id is not a valid record type id for the object that is being manipulating. | Correct the Record Type Id. |
3 | Assign a record to a user who does not have profile access to the record type | Add profile access to the used record type. |
4 | Assign a record to another user but assigning user's profile does not have access to the record type. | Add Record Type to your user profile. |
5 | Assign a record to a Partner Portal user and the user does not have access to Internal Salesforce. | Add a |
6 | A lead submission invokes an auto-response e-mail notification, but the e-mail template used in the response is contained in a folder to which the user does not have access. | 1. Find which e-mail template is invoked in the auto-response rule. |
7 | Any other undocumented use case or scenario that isn't listed above | If none of the above scenarios apply to you, then consider any possibility whereby any record associated with your action, referenced directly in the API call or by any resulting trigger, workflow or auto response, must be accessible by the user making that API call. |
Note: In regards to the above table, all described scenarios and resolutions come directly from Salesforce documentation.
Salesforce themselves underline there may be other undocumented causes for this error. If you believe you're experiencing such issue, we'd advise to contact Salesforce support for more information.
Useful sources
Further examples of this Salesforce validation error can be found here:
Salesforce Help article (last updated 22 Oct 2024)
Trailblazer Community
Salesforce StackExchange
Disclaimer: This error is returned by Salesforce directly, rather than Gearset. Even so, we offer guidance based on our combined experience with the Metadata API. Where possible, we try to help guide you to fix or avoid this error. In the case that this isn't possible, we may need to direct you to Salesforce support for further clarification.