When updating the role hierarchy or group membership in Setup or through the API,
customers can occasionally receive a “could not acquire lock” or "Group membership operation
already in progress" error and have to repeat the operation. This error occurs because the sharing
system locks the tables holding group membership information during updates to prevent
incompatible simultaneous updates or timing issues, both of which could lead to inaccurate data
about users’ access rights.
Typically, these locks are held only very briefly, so most customers never see a lock conflict
error. In some scenarios—such as a change in role triggering a sharing rule
recalculation—locks can be held for a longer time, and conflicts can occur.
Customers who experience these locking errors are typically executing large-scale data loads or
integrations with other internal systems that are making changes to role and group structure,
user assignments to roles and groups, or both. When these processes are running—and an
administrator tries to change a user’s role, or the customer tries to provision a new external
user—one of these simultaneous operations might be unable to secure the lock it requires.
The most likely time for this failure to occur is during periodic organizational realignment
events, such as end-of-year or end-of-quarter processing, where many account assignments and user
roles are changing.
Customers can lessen the chance of locking errors by:
- Scheduling separate group maintenance processes carefully so they don’t overlap
- Implementing retry logic in integrations and other automated group maintenance processes to
recover from a failure to acquire a lock
You can also receive locking errors if you’re updating the role hierarchy or group
membership while running other deployments that also update group membership information or have
Apex tests that do so. If you receive locking errors, wait for the deployment operation or Apex
tests to finish.
By default, granular locking is enabled, which allows some group maintenance operations to
proceed simultaneously if there’s no hierarchical or other relationship between the roles or
groups involved in the updates. Administrators can adjust their maintenance processes and
integration code to take advantage of this limited concurrency to process large-scale updates
faster, all while still avoiding locking errors.
The key advantages of granular locking are that:
- Groups that are in separate hierarchies can be manipulated concurrently.
- Public groups and roles that don't include territories aren't blocked by territory
operations.
- Users can be added concurrently to territories and public groups.
- User provisioning can occur in parallel.
- External user creation requires locks only if new external roles are being created.
- Provisioning new external users in existing accounts occurs concurrently.
- A single-long running process, such as a role delete, blocks only a small subset of
operations.
This table lists all the operations that can occur in parallel. Note that certain operations,
such as reparenting (moving roles within the role hierarchy), still block almost all other group
updates.
| Role creation |
-
User role change1
-
Territory reparenting
- Territory deletion
- Territory creation
-
Removal of user from territory
-
Addition of user to territory
-
User provisioning2
|
| Role deletion |
- Territory reparenting
- Territory deletion
- Territory insertion
- Removal of user from territory
- Addition of user to territory
|
|
Role reparenting (includes change of customer or
partner account owner) |
Territory creation |
| Adding user to territory |
- Role deletion
-
Role insertion
- Territory creation
- Addition of user to territory
- User provisioning3
|
| Removing user from territory |
- Role deletion
- Role insertion
- Territory creation
- User provisioning3
|
| Territory reparenting |
- Role deletion
- Role insertion
- User provisioning3
|
| Territory deletion |
- Role deletion
- Role insertion
- User provisioning3
|
| Territory creation |
- Role reparenting
- Role deletion
- Role insertion
- User role change1
- Addition of user to territory
- Removal of user from territory
- User provisioning3
|
| Provisioning internal user with an existing role |
- Role insertion
- User role change1
- Territory reparenting
- Territory deletion
- Territory creation
- Removal of user from territory
- Addition of user to territory
- User provisioning3
|
| Changing user role (User must not own any customer or partner accounts.) |
- Role insertion
- Territory insertion
- User provisioning3
|
| Provisioning first customer or partner user under an account |
- User role change1
- Territory reparenting
- Territory deletion
- Territory creation
- Removal of user from territory
- Addition of user to territory
- User provisioning2
|
| Creating second customer or partner user under an account |
- Role insertion
- User role change1
- Territory reparenting
- Territory deletion
- Territory creation
- Removal of user from territory
- Addition of user to territory
- User provisioning3
|
| Provisioning high-volume Experience Cloud site user |
Any group membership operation |
| Changing customer or partner account owner |
Territory creation |
| Changing role of a user who owns a customer or partner account |
Territory creation |
1 The user must not own any customer or partner accounts.
2 Provisioning standard user or external user in an existing role
3 Provisioning any standard or external user, including the first customer or
partner user under an account