Newer Version Available

This content describes an older version of this product. View Latest

Group Membership Locking

When updating the role hierarchy or group membership in Setup or through the API, customers can occasionally receive a “could not acquire lock” or "Group membership operation already in progress" error and have to repeat the operation. This error occurs because the sharing system locks the tables holding group membership information during updates to prevent incompatible simultaneous updates or timing issues, both of which could lead to inaccurate data about users’ access rights.

Typically, these locks are held only very briefly, so most customers never see a lock conflict error. In some scenarios—such as a change in role triggering a sharing rule recalculation—locks can be held for a longer time, and conflicts can occur.

Customers who experience these locking errors are typically executing large-scale data loads or integrations with other internal systems that are making changes to role and group structure, user assignments to roles and groups, or both. When these processes are running—and an administrator tries to change a user’s role, or the customer tries to provision a new external user—one of these simultaneous operations might be unable to secure the lock it requires. The most likely time for this failure to occur is during periodic organizational realignment events, such as end-of-year or end-of-quarter processing, where many account assignments and user roles are changing.

Customers can lessen the chance of locking errors by:

  • Scheduling separate group maintenance processes carefully so they don’t overlap
  • Implementing retry logic in integrations and other automated group maintenance processes to recover from a failure to acquire a lock

You can also receive locking errors if you’re updating the role hierarchy or group membership while running other deployments that also update group membership information or have Apex tests that do so. If you receive locking errors, wait for the deployment operation or Apex tests to finish.

Note

By default, granular locking is enabled, which allows some group maintenance operations to proceed simultaneously if there’s no hierarchical or other relationship between the roles or groups involved in the updates. Administrators can adjust their maintenance processes and integration code to take advantage of this limited concurrency to process large-scale updates faster, all while still avoiding locking errors.

The key advantages of granular locking are that:

  • Groups that are in separate hierarchies can be manipulated concurrently.
  • Public groups and roles that don't include territories aren't blocked by territory operations.
  • Users can be added concurrently to territories and public groups.
  • User provisioning can occur in parallel.
    • External user creation requires locks only if new external roles are being created.
    • Provisioning new external users in existing accounts occurs concurrently.
  • A single-long running process, such as a role delete, blocks only a small subset of operations.

This table lists all the operations that can occur in parallel. Note that certain operations, such as reparenting (moving roles within the role hierarchy), still block almost all other group updates.

Group Operation Can be Performed Concurrently with...
Role creation
  • User role change1
  • Territory reparenting
  • Territory deletion
  • Territory creation
  • Removal of user from territory
  • Addition of user to territory
  • User provisioning2
Role deletion
  • Territory reparenting
  • Territory deletion
  • Territory insertion
  • Removal of user from territory
  • Addition of user to territory
Role reparenting (includes change of customer or partner account owner) Territory creation
Adding user to territory
  • Role deletion
  • Role insertion
  • Territory creation
  • Addition of user to territory
  • User provisioning3
Removing user from territory
  • Role deletion
  • Role insertion
  • Territory creation
  • User provisioning3
Territory reparenting
  • Role deletion
  • Role insertion
  • User provisioning3
Territory deletion
  • Role deletion
  • Role insertion
  • User provisioning3
Territory creation
  • Role reparenting
  • Role deletion
  • Role insertion
  • User role change1
  • Addition of user to territory
  • Removal of user from territory
  • User provisioning3
Provisioning internal user with an existing role
  • Role insertion
  • User role change1
  • Territory reparenting
  • Territory deletion
  • Territory creation
  • Removal of user from territory
  • Addition of user to territory
  • User provisioning3
Changing user role (User must not own any customer or partner accounts.)
  • Role insertion
  • Territory insertion
  • User provisioning3
Provisioning first customer or partner user under an account
  • User role change1
  • Territory reparenting
  • Territory deletion
  • Territory creation
  • Removal of user from territory
  • Addition of user to territory
  • User provisioning2
Creating second customer or partner user under an account
  • Role insertion
  • User role change1
  • Territory reparenting
  • Territory deletion
  • Territory creation
  • Removal of user from territory
  • Addition of user to territory
  • User provisioning3
Provisioning high-volume Experience Cloud site user Any group membership operation
Changing customer or partner account owner Territory creation
Changing role of a user who owns a customer or partner account Territory creation

1 The user must not own any customer or partner accounts.

2 Provisioning standard user or external user in an existing role

3 Provisioning any standard or external user, including the first customer or partner user under an account