Merging records requires a lot of operations, so it's quite common that a user may not have permission to merge two records. This is more common in orgs that have stricter security permissions.
Insufficient Access Rights
The most common reason that a user cannot merge two records is because they do not have Edit and Delete permission on all of the records that they are merging. When merging records, the system must edit the winning record with any fields that were changed, delete the losing records, and update related records. If you get an error like insufficient access rights on cross-reference id then it typically means you need to edit the user's profile or give them a permission set that has Delete privileges on the records that they're trying to merge.
This may also require modifications to your role hierarchy or sharing rules if the sharing settings are set to Private or Public Read Only for this object. In this case, a user will only be able to merge records if they have access via the role hierarchy, sharing rules, or custom sharing records.
Most other errors are related to validation rules or logic that runs after saving the merged records. These will be specific to your organization and the error message should be included in the email from your user or the error message shown on the screen. If you need help fixing something in your org, just send us a chat and we can get you in touch with one of our consultants.