How to fix insufficient access rights on cross-reference id?

I got this error while creating a record for object X which has mater detail to account and contact, I saw that the sharing setting says that permissions on objects X depends on the permissions of parents, and parents (account and contact) in my case did not have modify all access, as soon as I added modify all access I was good.

The error happens when you're trying to insert/update the record which can't be logically inserted/updated.

So basically make sure that:

• you don't insert/update a record that does not exist,
• you don't update object field that is build-in/read-only,
• you perform the action using the user who has not the right access to modify the object

More detailed explanation:

This error was causing a lot of pain in a Salesforce integration that we have. It seems like a permissions issue on first look. But it's sort of misleading. Even a System Administrator can get this error.

So after researching a lot, this was what I found:

The error is throw when you try to insert/update something that logically cannot be inserted/updated.

Some examples:

• You try to update a record that does not exist. Maybe the record was never there or it was deleted.

• You try to update an object field that cannot be set explicitly. These fields can only be updated by the implicitly. e.g.: object owner, CreatedById, CreatedDate, LastActivityDate, LastModifiedById, LastModifiedDate. You cannot explicitly update these fields.

• You are trying to give permission to someone but you yourself do not have permission for this.

• If you are trying to share "Record X" with "User Y" and you yourself do not have access to "Record x", this error happens Or if the "User Y" already has access to it.

These are just a few reasons you can get the salesforce error INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY; I am sure there are others.

Source: http://blog.daksatech.com/2012/10/salesforce-error-insufficientaccessoncr.html

According to the license documentation:

http://login.salesforce.com/help/doc/en/users_understanding_license_types.htm

"Users with this license have read and create access on ideas and questions and answers, and read-only access to documents, knowledge, price books, and products" - plus you can access custom objects.

I'm surprised that you can insert an opportunity with a customer portal user, as the docs say that this functionality should only be available for Partner Portal users. That said, I have found that I do have capabilities that I shouldn't have with Authenticated Website Licenses, but I avoid using these in production in case its down to a bug that gets fixed and thus breaks my code.

Without sharing means that the code will run in the context of a system user, disregarding permissions and sharing rules associated with the currently logged in user. However, I'd expect the license type of the logged in user to be retained through the life of the transaction - it has been in similar situations I've found.

Given that what you are trying to do shouldn't be allowed through the license type, I'd be quite nervous about putting this out on the app exchange for a couple of reasons in addition to the security review:

1. Anyone installing the package could technically be in breach of their license agreement
2. If you are relying on a loophole/bug and that gets closed, your package will suddenly stop working with no warning.

At the very least I'd make sure that the end users understood that I was providing functionality that the license shouldn't support.