Loading

Troubleshooting INSUFFICIENT_ACCESS_OR_READONLY when deleting ContentDocument or ContentDocumentLink records

Publish Date: May 26, 2026
Description

Issue

Delete operations against ContentDocument records (Salesforce Files), or against the ContentDocumentLink records that share those files with users, groups, libraries, or other Salesforce records, can fail with the error INSUFFICIENT_ACCESS_OR_READONLY: insufficient access rights on object id [...]. The error indicates that the platform's file authorisation layer has refused the operation. Several distinct platform states can produce this same error string, including (but not limited to) files whose parent context cannot be administered through the standard Salesforce Files user interface, files whose linked records are in an unexpected state, and files whose underlying version metadata is inconsistent. In every case, the denial originates above the API surface, so the same error is returned consistently regardless of which client (Lightning Experience, Salesforce Classic, REST, Bulk API 2.0, Anonymous Apex, Data Loader, Workbench) is used to attempt the delete. Identifying the specific platform state behind the error requires Salesforce Support to inspect the affected records on the org; this article does not attempt to enumerate the underlying states because the diagnostic and resolution steps are owned by Salesforce Support.

Symptoms

  1. The deletion API returns INSUFFICIENT_ACCESS_OR_READONLY: insufficient access rights on object id [...]. The exact contents of the trailing brackets vary and should be captured verbatim before raising a case.

  2. The same error reproduces consistently across every delete surface (Lightning Experience, Salesforce Classic, REST sObject DELETE, Bulk API 2.0, Anonymous Apex Database.delete, Data Loader, Workbench). This indicates that the failure is not specific to any one client.

  3. Reassigning the OwnerId on the affected ContentDocument to a system administrator does not unblock the delete.

  4. Granting the affected user the "Delete Salesforce Files" user permission, or running the delete as a user with Modify All Data, does not unblock the delete.

Invoking Database.emptyRecycleBin() returns success on an empty selection but does not produce the desired outcome, because the records have not actually entered the Recycle Bin — the upstream delete that would have placed them there has been rejected.

Resolution

Before raising a case, work through the self-service steps below. Most cases of this error on a library-owned file are resolved by step 1; everything else requires Salesforce Support.

Step 1: If the file is in a Content Library, ask an existing Library Administrator to act

Identify whether the affected file is owned by a Content Library by running the following SOQL in the Developer Console or Workbench:

 

SELECT Id, ContentDocumentId, LinkedEntityId, ShareType, IsOwner

FROM ContentDocumentLink

WHERE ContentDocumentId IN ('<069...>') AND IsOwner = true

 

If the LinkedEntityId on the IsOwner = true row starts with 058, the file is owned by a Content Library (ContentWorkspace) with that id.

 

Identify the active Library Administrators of that Library. Two queries are needed because ContentWorkspaceMember.MemberId is polymorphic (User, Group, …) and the active-user filter cannot be expressed inline:

 

SELECT MemberId, MemberType,

       ContentWorkspacePermission.Name,

       ContentWorkspacePermission.PermissionsManageWorkspace,

       ContentWorkspacePermission.PermissionsDeleteContent

FROM ContentWorkspaceMember

WHERE ContentWorkspaceId = '<058...>'

AND   ContentWorkspacePermission.PermissionsManageWorkspace = true

AND   MemberType = 'User'

 

SELECT Id, Name, Username, IsActive

FROM User

WHERE Id IN (<MemberId values from the previous query>)

AND   IsActive = true

 

If the second query returns one or more rows, contact one of those users and ask them to either delete the file directly or to add the user that needs to perform the deletion as a member of the Library with the Library Administrator preset (this is done from the Library's Members section in Salesforce Files in Lightning Experience or in Salesforce Classic). Once a Library Administrator has acted, the standard delete from any client succeeds.

 

If the second query returns no rows, no active administrator exists on the parent Library and step 1 cannot resolve the case from within the org. Proceed to step 2.

Step 2: For all other cases, contact Salesforce Support

If the file is not owned by a Content Library, or if the parent Library has no active administrator, the underlying state cannot be repaired from within the org and Salesforce Support should be engaged. Contact Salesforce Support with the following details so the case can be triaged accurately on the first response:

 

  1. The verbatim text of the INSUFFICIENT_ACCESS_OR_READONLY error response, including the exact contents of the trailing brackets.

  2. The ContentDocument record ids (069...) and, where applicable, the ContentDocumentLink record ids and their LinkedEntityId values.

  3. The full list of delete surfaces attempted (Lightning UI, Classic UI, REST, Bulk API 2.0, Anonymous Apex, Data Loader, Workbench) and the response observed on each.

  4. The user id and profile of the user that attempted the deletion, and any user permissions or profile-level permissions granted to that user during troubleshooting.

  5. The output of the two SOQL queries from step 1, redacted as the customer's policies require.

  6. Whether login access has been granted on the affected org for Salesforce Support to investigate.

Additional Resources
Knowledge Article Number

005385260

 
Loading
Salesforce Help | Article