I have a custom object, Ticket__c
, that has a master detail field to Contact
. I have a Digital Experience accessed by "Customer Community" licensed users. One of the pages provides access to the related list of Ticket__c
records for the Contact related to the given Community User.
The org's OWD sharing of "Account and Contract" for External Users is "Private", and "Contact" is "Controlled by Parent".
The Community User's profile ensures that the user has permission to create Ticket__c
records with all necessary fields and has Read and Edit access to Contact
.
The Related List page in the digital experience (community) appropriately provides a "New" button and clicking it shows the creation form with the master detail Contact
lookup field pre-filled with the user's related Contact. However, an attempt to save the record results in "insufficient access rights on cross-reference id" (rather annoyingly this error message gives no hint as to which field or ID this relates to, but I have narrowed it down to the Contact master detail).
Now, I'm quite certain it is all related to the sharing on Account
being Private and the fact that Account
is the parent of Contact
from the sharing perspective in the community context.
I've found some other references to this issue, including an unhelpful knowledge article, along with this other Stack Exchange Q&A where a relatively recent answer talks about providing Modify All permissions to work around the problem. This isn't a suitable solution for me so I continued looking at what I could do here.
Salesforce supports the idea of Sharing Sets
for community use, accessible in Setup under Feature Settings > Digital Experiences > Settings, that seemed like a plausible solution so created a Sharing Set
against Account
determining access using User:Contact.Account = Account.Id
, granting Read Only
access (I don't believe the community user needs to be able to edit, only read).
Unfortunately this didn't help. On revisiting this configuration I noticed a second tab, "Share Group Settings" and found that there was a button to Activate the Share Group. So I clicked it.
I waited a few minutes (the scratch org I'm on has next to no data on it at this point so thought this shouldn't take long) and tried creating a Ticket__c
again but still got the same error.
Anyone got any ideas as to how I can solve this problem without having to inappropriately share Accounts?
Best Answer
Has per @KrisGoncalves's comment, I updated the Sharing Set to allow Read/Write for the selected Account and it started to work.
UPDATE:
I realized why read/write sharing is required for Account. Since Account is the parent (in sharing terms) for Contact and Contact is the master details parent for
Ticket__c
, I actually have to have write sharing on Account to have write sharing on Contact and write sharing onTicket__c
. In effect, the error was a bit misleading and was essentially saying I couldn't create myTicket__c
object because I didn't have write permission for anyTicket__c
- theContact
isn't owned by me, as a community user, so isn't write shared with me (and thus in turn I have no way to manage master detail children regardless of profile permissions) unless and until its parent is write shared with me in this scenario.