I have a custom object, Ticket__c, that has a master detail field to Contact. I have a Digital Experience accessed by "Customer Community" licensed users. One of the pages provides access to the related list of Ticket__c records for the Contact related to the given Community User.
The org's OWD sharing of "Account and Contract" for External Users is "Private", and "Contact" is "Controlled by Parent".
The Community User's profile ensures that the user has permission to create Ticket__c records with all necessary fields and has Read and Edit access to Contact.
The Related List page in the digital experience (community) appropriately provides a "New" button and clicking it shows the creation form with the master detail Contact lookup field pre-filled with the user's related Contact. However, an attempt to save the record results in "insufficient access rights on cross-reference id" (rather annoyingly this error message gives no hint as to which field or ID this relates to, but I have narrowed it down to the Contact master detail).
Now, I'm quite certain it is all related to the sharing on Account being Private and the fact that Account is the parent of Contact from the sharing perspective in the community context.
I've found some other references to this issue, including an unhelpful knowledge article, along with this other Stack Exchange Q&A where a relatively recent answer talks about providing Modify All permissions to work around the problem. This isn't a suitable solution for me so I continued looking at what I could do here.
Salesforce supports the idea of Sharing Sets for community use, accessible in Setup under Feature Settings > Digital Experiences > Settings, that seemed like a plausible solution so created a Sharing Set against Account determining access using User:Contact.Account = Account.Id, granting Read Only access (I don't believe the community user needs to be able to edit, only read).
Unfortunately this didn't help. On revisiting this configuration I noticed a second tab, "Share Group Settings" and found that there was a button to Activate the Share Group. So I clicked it.
I waited a few minutes (the scratch org I'm on has next to no data on it at this point so thought this shouldn't take long) and tried creating a Ticket__c again but still got the same error.
Anyone got any ideas as to how I can solve this problem without having to inappropriately share Accounts?
Best Answer
Has per @KrisGoncalves's comment, I updated the Sharing Set to allow Read/Write for the selected Account and it started to work.
UPDATE:
I realized why read/write sharing is required for Account. Since Account is the parent (in sharing terms) for Contact and Contact is the master details parent for
Ticket__c, I actually have to have write sharing on Account to have write sharing on Contact and write sharing onTicket__c. In effect, the error was a bit misleading and was essentially saying I couldn't create myTicket__cobject because I didn't have write permission for anyTicket__c- theContactisn't owned by me, as a community user, so isn't write shared with me (and thus in turn I have no way to manage master detail children regardless of profile permissions) unless and until its parent is write shared with me in this scenario.