function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion


Working on a bit of code for a salesforce hosted site that will create a campaign member. Getting this error. I have seen something like this before, when you pass a bad ID, but it usually tells you which ID is bad, here it just says null. This code works perfectly in sandbox, but fails in production, so it seems like it must just be some security setting is off, but I have no idea what setting it could be.


We do have the private data model, with sharing rules set up for contacts (but of course sharing rules don't apply to the sites guest user). 


The full error is 

Error creating campaign member. Insert failed. First exception on row 0; first error: INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY, insufficient access rights on cross-reference id: [] null System.DmlException Error during campaign member creation. Contact: 0034000000kJdQQ Campaign: 70140000000N01iAAC null scheduler.customException 


So you can see the campaign and contact are being passed in. Both of those are valid IDs in the org. So I don't think that is the issue (I know I've seen that before when passing in a bad hard coded ID).


What security settings could I look at to try and fix this? I feel like I've looked at all the applicable public access settings for the user (contact, campaign member, and campaign settings are maxed out).


Any help is appreciated. Thanks!

Glenn WeinsteinGlenn Weinstein

Can you share your code, or a snippet?  Enough to try a reproducible test case?

Himanshu ParasharHimanshu Parashar

check for permission on custom object


Hey All,


Got some more info here. First off, here are some images that show the various object permissions and the error.

One thing I notice that is weird is that with the new permissions selector deal in winter 12, standard objects with custom labels are listed twice. In this example, we have renamed campaigns to studies. So there is now an entries for campaigns, and one for studes. They have different sets of permissions though. Very Weird. 


As for the code, it is pretty simple. First find the existing campaign member for this person (if one exists). If it exists, update it with the new token (a token is an access granter to some 3rd party survey software). If not, create one for the given campaign and contact with the given token. The method does get called by another in my code, which provdes the campaign, contact and token.

    global static remoteObject createCampaignMember(string campaign, string contact, string token)
        CampaignMember campaignMember = new campaignMember();
        remoteObject returnObj = new remoteObject();
        returnObj.success = true;
        returnObj.message = 'Run successfull'; = 'Awaiting campaign member creation';
            list<CampaignMember> cm = [select id,token__c  from campaignMember where contactId = :contact and campaignId = :campaign];
                campaignMember.contactId = contact;
                campaignMember.campaignId = campaign;
                campaignMember.token__c = token;
                insert campaignMember;
         		campaignMember.status = 'Campaign member created succesfully with limeSurveyToken ' + token;
       = cm[0].id;
                cm[0].token__c = token;
                update cm;
                campaignMember.status = 'Campaign member record located with token ' +  cm[0].token__c + ' ID: '+ cm[0].id;
        catch(exception e)
            returnObj.success = false;
            returnObj.message = e.getMessage() + ' ' +e.getCause() + ' ' +e.getTypeName();
   = 'Error during campaign member creation. Contact: '+contact+ ' Campaign: '+ campaign;
        return returnObj;


 Thanks for looking!


One thing to note is that it works in my sandbox, which doesn't seem to have that new permissions selector that came with winter 12. It does not work in prod, which does have that new permissions dealio. Perhaps some option that needs to be set isn't included with the new selector?


Finally found the solution. The website user profile did not have read access to the contacts... I guess. It was able to query for their details, but attempting to use their ID in a lookup relation was forbidden. The fix was to create a public group for the website user, then add the website users. Then create a contact sharing rule for that public group. Works perfectly now. **bleep** security :P


For what it's worth also, it wasn't me who found this solution. Thanks to asking on the twttier #askforce channel, a user by the name of mcfitz13  saw my inquery and suggested the solution. I for some reason had it in my head that sites users could not be part of public groups (probably because they don't show up in the regular user list, and don't have a role so I thought where were kind of apart from most user permission stuff) but his tweet made me double check it and find out I was happily mistaken.