SFDC Sync Error “INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY” or "INVALID_CROSS_REFERENCE_KEY" or "INSUFFICIENT_ACCESS_OR_READONLY"

When trying to sync updates to your salesforce.com instance from Marketo you see one of the following errors in the activity log :

Failed: INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY
INSUFFICIENT_ACCESS_OR_READONLY
INVALID_CROSS_REFERENCE_KEY



This is an error sent to Marketo from Salesforce. There are a number of reasons why this error could occur.

INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY means that the user who is trying to make the update does not have access to a related element that is required for the record to be updated and saved in SFDC. There are a number of specific examples of what might be the cause but these will vary from organisation to organization depending on the configuration of your salesforce.com. If you were to connect to sfdc as the Marketo user and try manually updating the same record that Marketo is trying to update then you will get the same error in the salesforce.com UI.

Here are a list of some elements that you should check in SFDC if you see this error:

  1. Do you use record types? If so make sure that the the Marketo user has access to all required record types and that the Record Type Id in Marketo is correct for the Lead or Contact. Sometimes, when a Lead is converted to a Contact in SFDC, the Record Type ID fails to update in Marketo, causing the sync to fail. This is one of the most common causes for these errors.
  2. Are there any look-up or master detail fields on the object in question? If these types of fields are being updated then make sure that the Marketo user has access this object/ these records.
  3. Do you use Apex? If so you may have trigger that fire on the the update of a record, you will need to make sure that the Marketo user has profile access to the relevant Apex classes.
  4. If you have any workflow rules or assignment rules that send an email when the record is saved then you will need to make sure that the Marketo user has the send email permission and has access to the email folder that contains the mails that are sent rules are triggered.
  5. Make sure "Convert Leads" is turned-on within SFDC.  If it is not, you will get this error message when trying to merge leads that exist within Marketo and SFDC.