Hi, I'm working on a multi-tenant embedded report project where we are using Service Principal Profiles to manage customer permissions, and ReadOverrideEffectiveIdentity to enable RLS. When onboarding a new customer, we create a new Service Principal Profile for them, and grant it ReadOverrideEffectiveIdentity permission to the datasource. To automate this, we have created an 'admin' Service Principal that is a Gateway admin. The 'user' Service Principal that the new Profile belongs to does not have these permissions, it is only allowed to read a basic set of reports.

When trying to use the new admin Service Principal grant ReadOverrideEffectiveIdentity on the datasource to the profile however we receive a 401 Unauthorized error:

Request:

POST https://api.powerbi.com/v1.0/myorg/gateways/<gateway-id>/datasources/<datasource-id>/users
Bearer <token for Admin service principal>
Content:
{
	"datasourceAccessRight":"ReadOverrideEffectiveIdentity",
	"identifier":"<user Service Principal id>",
	"principalType":"App",
	"profile":{
		"id":"<user Service Principal profile id>"
	}
}

Response:

{
	"error": {
		"code": "Unauthorized",
		"message": "Gateway.ReadWrite.All is required when adding a datasource user with OverrideEffectiveIdentity access right"
	}
}

However, the admin Service Principal does have Gateway.ReadWrite.All permission. Also, if I try and grant "Read" instead of "ReadOverrideEffectiveIdentity", the request succeeds, it's only when requesting "ReadOverrideEffectiveIdentity" that it fails. I don't get the error when calling the API when authenticated with my own user login (which is also a Gateway admin) either, only when calling the API as the admin service principal.

Is there something special about "ReadOverrideEffectiveIdentity" that means it can't be granted by a Service Principal?