topic Re: Error getting embed token with row level security in Developer

Error getting embed token with row level security

Anonymous — Fri, 06 Sep 2019 03:17:08 GMT

Hi All,

I am having trouble getting App Only Embed token using C# and also via Postman.

1) I get the OAuth2 Access token for my service principal using App Id and Secret.

2) I try to post on https://api.powerbi.com/v1.0/myorg/groups/{GroupId}/{ReportId}/GenerateToken

with the below body:

{
"accessLevel": "View",
"identities": [
{
"username": "UserEmail@Company.com",
"roles": [ "SomeRole" ],
"datasets": ["DatasetId"]
}
]
}

Error:

{
"error": {
"code": "InvalidRequest",
"message": "Creating embed token for accessing dataset {DatasetId} requries gateway admin or datasource override effective identity access right"
}
}

Re: Error getting embed token with row level security

Jayendran — Fri, 06 Sep 2019 06:26:24 GMT

Hi,

Can you pls look this

https://community.powerbi.com/t5/Developer/Unable-to-get-RLS-security-to-work-with-an-app-owns-data/td-p/446470

Re: Error getting embed token with row level security

Anonymous — Wed, 11 Sep 2019 21:08:45 GMT

Things that finally worked for us:

1) Had to give the service principal the permission "ReadOverrideEffectiveIdentity" by running Microsoft's rest api call with the datasourceId and the gatewayid.

see this link for more info:

https://docs.microsoft.com/en-us/power-bi/developer/embedded-row-level-security#on-premises-data-gateway-with-service-principal

The identifier used in the JSON BODY Request is not the Azure AD service principal object Id, turns out that there is a separate identifier for the service principal when it is added to powerBi workspace as an admin.

running a rest call to get users on the workspace/report would give the actual identifier.

*This is wierd as the documentation doesnot say that, but have raised this concern with microsoft.

2) After this, a normal call to get embed token along with effective identity works fine.

Re: Error getting embed token with row level security

Anonymous — Wed, 16 Dec 2020 13:27:22 GMT

Incredible. Almost a year after your post, I ran into the same issue. Using the Microsoft sample app, the error was hidden from me. I only saw 403 Forbidden returned. Using Postman and APIs to generate an EmbedToken, I then saw the

"Creating embed token for accessing dataset..."

mentioned above. Your comment of "The identifier used in the JSON BODY Request is not the Azure AD service principal object Id, turns out that there is a separate identifier for the service principal when it is added to powerBi workspace as an admin." was finding a needle in a hay stack. You were right! Once I found the "identifier" of my service principal using the APIs against the Power BI Workspace, I updated the username in my sample app and bam! I finally executed a successful end to end request.

Re: Error getting embed token with row level security

lnoguera — Mon, 03 May 2021 16:56:34 GMT

After doing what worked for you (find the service principal identifier using the rest api and give the ReadOverrideEffectiveIdentity permissions to it), now we´re getting a different error: "Only folder user with reshare permissions can generate embed token". Do you know what might be the cause of this?