topic Re: dynamical RLS cause bad token error when embed Power BI content in Salesforce in Developer

dynamical RLS cause bad token error when embed Power BI content in Salesforce

TingSun — Wed, 22 Jan 2025 17:39:44 GMT

Hi there,

We are trying to embed our power bi content in salesforce so that customers can login to salesforce with their salesforce credential and see power bi reports instead of login to power bi service using their power bi credential.

It worked well before we implemented the dynamical RLS. Steps taken:

1) create a service principal in Entra, and granted it User.Read permission for Microsoft Graph

2) added this service principal to workspace as admin where the report located. The service principal has access to the dataset as well as the report itself.

3) in the report, added a role, [Email] ==USERNAME() (we also tried USERPRINCIPALNAME())

Error message: DEBUG|GenerateToken API call failed. Status: Bad Request, Body: {"error":{"code":"InvalidRequest","message":"Creating embed token for accessing dataset XXX-XXX-XXX-XXX requires effective identity to be provided"}}

We tried different codes to pass the identities and roles etc. like directly in the URL or as below:

{

"accessLevel": "View",

"identities": [

{

"username": "example@domain.com",

"roles": [],

"datasets": ["<DatasetId>"]

}

]

}

but still get the same error message.

Can someone help or did you encounter similar error message? Thanks a lot!

Re: dynamical RLS cause bad token error when embed Power BI content in Salesforce

mariussve1 — Thu, 23 Jan 2025 06:26:45 GMT

Hi,

You first need to retrieve the token from the backend:

I assume you’ve already created a SPN (App user) with the correct access to the workspace and sufficient permissions for the APIs that will be used!

Then, you need to use the following:
POST https://login.microsoftonline.com/<tenantid>/oauth2/token grant_type: client_credentials resource: https://analysis.windows.net/powerbi/api client_id: <clientid> secret: <secret>

When you run this, you will receive a token. This token should be used in the frontend to provide access to the report and the model:

POST https://api.powerbi.com/v1.0/myorg/GenerateToken
Note: Remember to include Content-Type: application/json in the header.
Authorization: Bearer <token from backend call up here>

Body (JSON):

{ "datasets": [ { "id": "<datasetid>" } ], "reports": [ { "id": "<reportid>" } ], "accessLevel": "View", "identities": [ { "username": "<username>", "roles": [ "<rolename>" ], "datasets": [ "<datasetid>" ] } ], "lifetimeInMinutes": 10 }

That should do the trick! 🙂 I recommend using something like Postman to test the process conceptually; it makes it easier to identify where things might go wrong.

Re: dynamical RLS cause bad token error when embed Power BI content in Salesforce

Anonymous — Thu, 23 Jan 2025 07:23:05 GMT

Hi @TingSun ,

According to the following official documentation, a username and a role are required when generating the embed token. For a service principal, token generation fails if don't provide the above info(username and role).

Using standard cloud based row-level security with embedded content in Power BI embedded analytics

Best Regards

Re: dynamical RLS cause bad token error when embed Power BI content in Salesforce

TingSun — Fri, 24 Jan 2025 18:16:30 GMT

Thank you for the replies. I will test them out and will let you guys know.

Re: dynamical RLS cause bad token error when embed Power BI content in Salesforce

TingSun — Sun, 26 Jan 2025 03:15:05 GMT

Thank you, Marius. Your code worked like a magic. 🙂

Re: dynamical RLS cause bad token error when embed Power BI content in Salesforce

TingSun — Thu, 30 Jan 2025 19:16:31 GMT

Hi There,

We have another challenge now. Thanks to the json code provided, we were able to make the API call. We even tried on more complex reports using dynamical RLS, all worked so far.

However, in real world, our reports are connected to datasets and as soon as we try with the real life reports, we got error message: GenerateToken API call failed. Status: Bad Request, Body: {"error":{"code":"InvalidRequest","message":"Embedding a report with a model which has a Direct Query connection to another model is not supported with V1 embed token"}}

Does someone know the possible solution for it? Thanks a lot!

Re: dynamical RLS cause bad token error when embed Power BI content in Salesforce

mariussve1 — Sun, 02 Feb 2025 15:01:02 GMT

Hi,

Sorry for the late answer, but could you please try this:

#example-of-generating-an-embed-token-for-two-datasets-with-rls-identities-and-a-single-report-with-read-only-permissions.-the-embed-token-lets-you-view-the-report,-which-is-dynamically-bound-to-two-different-datasets

Re: dynamical RLS cause bad token error when embed Power BI content in Salesforce

TingSun — Wed, 05 Feb 2025 19:07:52 GMT

Thanks Marius. We managed to get rid of this direct query error message. However, we have a new challenge, most likely the last one for our project... Some of our reports are complex and are based on more than one datasets. So we have reportID, datasetID (and this datasetID is based on two other semantic models), so we have datasetID2 and datasetID3. We cannot find the right way to pass these 3 dataset ids in our request body. Someone has an idea? what's the syntax for it?

{
  "datasets": [
    {
      "id": "<datasetid>"
    }
  ],
  "reports": [
    {
      "id": "<reportid>"
    }
  ],
  "accessLevel": "View",
  "identities": [
    {
      "username": "<username>",
      "roles": [
        "<rolename>"
      ],
      "datasets": [
        "<datasetid>"
      ]
    }
  ],
  "lifetimeInMinutes": 10
}

How to passing these 3 dataset ids in the following body?