Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Earn a 50% discount on the DP-600 certification exam by completing the Fabric 30 Days to Learn It challenge.

Reply
MaartenInc
Frequent Visitor

Embed BI, App owns data, dynamic RLS multiple effective identities

‎12-28-2022 06:51 AM

 

The documentation (https://learn.microsoft.com/en-us/rest/api/power-bi/embed-token/generate-token#examples) contains quite some examples on how to generate a token. But our use case does not seem to be documented. We are confused whether we are trying to use dynamic RLS in the wrong way. Or are just generating our embedded token incorrectly.  

 

Our token request looks as follows: 

 

{
  "datasets": [
    {
      "id": "3bff762b-...-1e1dabe41b3e"
    }
  ],
  "reports": [
    {
      "id": "e16f0244-...-97ceda22e823"
    }
  ],
  "targetWorkspaces": [
    {
      "id": "beca21a6-...-17f65322eb31"
    }
  ],
  "identities": [
    {
      "username": "user.name@domain.be",
      "datasets": [
        "3bff762b-...-1e1dabe41b3e"
      ],
      "roles": [
        "EMAIL"
      ]
    },
    {
      "username": "BusinessDefault",
      "datasets": [
        "3bff762b-...-1e1dabe41b3e"
      ],
      "roles": [
        "CompanyCode"
      ]
    },
    {
      "username": "Default",
      "datasets": [
        "3bff762b-...-1e1dabe41b3e"
      ],
      "roles": [
        "DomainCode"
      ]
    },
    {
      "username": "Business",
      "datasets": [
        "3bff762b-...-1e1dabe41b3e"
      ],
      "roles": [
        "SystemCode"
      ]
    },
    {
      "username": "Administrators",
      "datasets": [
        "3bff762b-...-1e1dabe41b3e"
      ],
      "roles": [
        "DatabaseRole"
      ]
    }
  ]
}

 

 

 

This results in the API responding with following error: 

 

Status: BadRequest (400)
Response: {"error":{"code":"InvalidRequest","message":"Multiple identities provided for dataset 3bff762b-c82b-4256-9ed2-1e1dabe41b3e"}}

 

 

 

We've tried removing the datasets parameter in the identities, only provide it to one identity, ... But every possible scenario gives us an exception when generating the token.  

When just using one identity, the token generates fine.  But the moment we add a second identity. Things no longer seem to work.  

 

 

 Our report datamodel looks as follows:

  • Any datasource should be filtered on the current DomainCode (consider this a tenant or organization unit)
  • We are reporting on the 'Actions' table. A user should only be able to see the 'Actions' which he is assigned to. Unless if he has the DatabaseRole "Administrators".  An Administrator can see every users his information.
  • Our 'Actions' have a related table 'CompanySites'. A CompanyCode can be associated to multiple CompanySites.
    • The user can see all the 'CompanySites' to the provided CompanyCode
    • The report has a slicer where the user can filter on a selected CompanySite

 

 

Labels:
Message 1 of 5
543 Views
0
4 REPLIES 4
MaartenInc
Frequent Visitor

‎01-04-2023 05:54 AM

any additional help would be appreciated. We haven't been able to make progress on this issue.

Message 4 of 5
421 Views
0
AmosHersch
Employee
Employee
In response to MaartenInc

‎01-04-2023 08:00 AM

In "App owns data" you are generating a token for the user who views the embedded report. Power BI has no knowledge about that user. Only your application has that knowledge. The way to tell Power BI which RLS context (role, userename, etc.) should be used for the current user viewing the report is with the effective identity.

So why are you providing more than 1 effective identity for the same dataset? How will Power BI know which of those identities should be used when fetching the data from the dataset? I believe there should be a single identity with only 1 username. and possibly multiple roles.

 

Message 5 of 5
413 Views
0
v-shex-msft
Community Support
Community Support

‎12-28-2022 07:58 PM

HI @MaartenInc,

I'd like to suggest you take a look at the following link that mention similar issue if it helps with your scenario:

Solved: Re: Embed BI, App owns data, dynamic RLS multiple ... - Microsoft Power BI Community

Regards,

Xiaoxin Sheng

Community Support Team _ Xiaoxin
If this post helps, please consider accept as solution to help other members find it more quickly.
Message 2 of 5
494 Views
0
MaartenInc
Frequent Visitor
In response to v-shex-msft

‎12-29-2022 04:11 AM

Thanks for the quick response @v-shex-msft. Unfortunately the solution provided in that question doesn't solve the issue. 

 

The "username" values are different are also different across the roles.

Message 3 of 5
477 Views
0

Helpful resources

Announcements
LearnSurvey

Fabric certifications survey

Certification feedback opportunity for the community.

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All