The "Insufficient access rights on cross-reference ID" error indicates a permission issue in Salesforce. It occurs when a user tries to use a Flow, save a record, or perform an action that depends on a connected record, but the user does not have the required permissions to access that connected record.
The connected record is typically linked through a lookup field or a Master-Detail relationship. In effect, the user is attempting to reference a record they are not permitted to see.
To debug the API error "insufficient access rights on cross-reference id," review the following common scenarios.
The following six scenarios describe documented causes of the "insufficient access rights on cross-reference id" error, with possible causes and resolution steps. Note: This error may also occur for new or undocumented causes not listed here.
Possible Cause: You cannot assign a record to a new user in the same API call that creates the record.
Resolution: Create the record first. Then, in a separate API call, update the record with the new OwnerId.
Possible Cause: The record type ID used in the call is not a valid record type for the target object.
Resolution: Correct the Record Type ID to a valid value for the object.
Possible Cause: The user being assigned does not have profile-level access to the record type used.
Resolution: Add the record type to the user's profile.
Possible Cause: The assigning user's profile does not have access to the record type being used.
Resolution: Add the record type to the assigning user's profile.
Possible Cause: The Partner Portal user does not have access to the internal Salesforce record or community scope.
Resolution: Add a NetworkScope column to the API call, including the ID for the Community you are working with.
Possible Cause: A lead submission invokes an auto-response email notification, but the email template is in a folder the submitting user cannot access.
Resolution: Identify the email template invoked in the auto-response rule. Check the folder permissions for the folder containing that template. Ensure the user making the API call has access to the folder.
If none of the above scenarios apply, consider any possibility where a record associated with your action — referenced directly in the API call, or by any resulting trigger, workflow, or auto-response — must be accessible by the user making the API call.
Trailblazer Community - Insufficient access rights on cross-reference id issue
Salesforce Stack Exchange - Insufficient access rights on cross-reference id: error
000385619

We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.