Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
DanielRamos
Frequent Visitor

Embedding Dashboard on Salesforce throws error when using RLS

‎11-15-2022 10:26 AM

Please, help.

I'm using SalesforceAppOwnsDataEmbedding to display a Dashboard in Salesforce, everything works well, inclusively I'm able to send Report Level Filters.

However, if Row Level Security is used in Dashboard, then error occurs.

 

(Displayed error) Generate Token Error: OK
(Internal Error) Bad Request, Error 400

 

I already tried using identities for api body with no success.

 

Not sure if App Registration in Azure requires specific permission over the PowerBi Service Api. (read/write)

 

Thanks in advance!

 

Class method where error occurs:

 

// Call to Power BI Service API to get embed token for report        
        HttpRequest reqGetEmbedToken = new HttpRequest();
        reqGetEmbedToken.setMethod('POST');
        String urlGetEmbedToken = 'https://api.powerbi.com/v1.0/myorg/groups/' + WorkspaceId + '/reports/' + ReportId + '/GenerateToken';
        reqGetEmbedToken.setEndpoint(urlGetEmbedToken);
        System.debug('new method with devEnv as Identity');
        reqGetEmbedToken.setHeader('Authorization', 'Bearer ' + access_token);    
        reqGetEmbedToken.setBody(
            '{'
            +'"datasets": [{"id": "'+powerBiReport.datasetId+'"}]'
            +',"reports": [{"id": "'+powerBiReport.id+'"}]'
            +',"identities":['
                +'{"username":"appRegistrationObjectId","roles":["Security"],"datasets":["'+powerBiReport.datasetId+'"]}'
                +'{"username":"appRegistrationClientId","roles":["Security"],"datasets":["'+powerBiReport.datasetId+'"]}'
            +']'
            +'}');
        System.debug('complete reqGetembedToken varialbe debugging '+reqGetEmbedToken.getBody());
    
        HttpResponse responseEmbedToken = http.send(reqGetEmbedToken);

 

 

Labels:
Message 1 of 6
1,197 Views
0
1 ACCEPTED SOLUTION
DanielRamos
Frequent Visitor

‎11-22-2022 08:56 AM

Finally achieved this embedding!!! 🎉

Sharing solution in case someone's struggling with something similar.

 

My scenario was; I'm using a POST call to endpoint API GenerateTokenInGroup, my Dahsboard uses RLS, so it is required to include "identities" in the "Request Body" json, seems like I was not including all the required data on each section of the HttpRequest.

 

Important!

  • Now I included Content-Type: application/json to the header of request
  • Request Body is now composed with accessLevel: View, and identities using Service Principal Id (Application Client Id) as the username.
  • I created a new Role with no filters and assigned to Service Principal
    • (This allows me to apply ReportLevelFilters for dynamically filtering from Salesforce)
  • Provided the required API permissions on App Registration (Service Principal) on Azure.
    • Delegated Permissions, Power Bi Service; Report.ReadWrite.All, Dataset.ReadWrite.All, Content.Create

Full HttpRequest code

// Call to Power BI Service API to get embed token for report        
        HttpRequest reqGetEmbedToken = new HttpRequest();
        reqGetEmbedToken.setMethod('POST');
        String urlGetEmbedToken = 'https://api.powerbi.com/v1.0/myorg/groups/' + WorkspaceId + '/reports/' + ReportId + '/GenerateToken';
        reqGetEmbedToken.setEndpoint(urlGetEmbedToken);
        System.debug('setEndpoint = '+urlGetEmbedToken);
        reqGetEmbedToken.setHeader('Authorization', 'Bearer ' + access_token);
        reqGetEmbedToken.setHeader('Content-Type', 'application/json');
        system.debug('setHeader = '+reqGetembedToken.getHeader('Authorization'));
        reqGetEmbedToken.setBody(
            '{'
                +'"accessLevel":"View"'
                +',"identities":['
                    +'{"username":"1eac8b84-11a3-4f67-b308-c9ab0a7b8da0","roles":["noRlsFilters"],"datasets":["'+powerBiReport.datasetId+'"]}'
                +']'
            +'}');
        System.debug('setBody = '+reqGetEmbedToken.getBody());
    
        HttpResponse responseEmbedToken;
        try {                        
            responseEmbedToken = http.send(reqGetEmbedToken);
            System.debug('http send successfully');
            system.debug(responseEmbedToken);
        } catch (Exception error) {
            system.debug('Error Catched');
            System.debug(error);
        }

 

Response code is now 200 and Token is successfully generated,

Dashboard is displaying and filtering is correctly applying.

 

Hooray!

View solution in original post

Message 5 of 6
1,056 Views
5 REPLIES 5
DanielRamos
Frequent Visitor

‎11-22-2022 08:56 AM

Finally achieved this embedding!!! 🎉

Sharing solution in case someone's struggling with something similar.

 

My scenario was; I'm using a POST call to endpoint API GenerateTokenInGroup, my Dahsboard uses RLS, so it is required to include "identities" in the "Request Body" json, seems like I was not including all the required data on each section of the HttpRequest.

 

Important!

  • Now I included Content-Type: application/json to the header of request
  • Request Body is now composed with accessLevel: View, and identities using Service Principal Id (Application Client Id) as the username.
  • I created a new Role with no filters and assigned to Service Principal
    • (This allows me to apply ReportLevelFilters for dynamically filtering from Salesforce)
  • Provided the required API permissions on App Registration (Service Principal) on Azure.
    • Delegated Permissions, Power Bi Service; Report.ReadWrite.All, Dataset.ReadWrite.All, Content.Create

Full HttpRequest code

// Call to Power BI Service API to get embed token for report        
        HttpRequest reqGetEmbedToken = new HttpRequest();
        reqGetEmbedToken.setMethod('POST');
        String urlGetEmbedToken = 'https://api.powerbi.com/v1.0/myorg/groups/' + WorkspaceId + '/reports/' + ReportId + '/GenerateToken';
        reqGetEmbedToken.setEndpoint(urlGetEmbedToken);
        System.debug('setEndpoint = '+urlGetEmbedToken);
        reqGetEmbedToken.setHeader('Authorization', 'Bearer ' + access_token);
        reqGetEmbedToken.setHeader('Content-Type', 'application/json');
        system.debug('setHeader = '+reqGetembedToken.getHeader('Authorization'));
        reqGetEmbedToken.setBody(
            '{'
                +'"accessLevel":"View"'
                +',"identities":['
                    +'{"username":"1eac8b84-11a3-4f67-b308-c9ab0a7b8da0","roles":["noRlsFilters"],"datasets":["'+powerBiReport.datasetId+'"]}'
                +']'
            +'}');
        System.debug('setBody = '+reqGetEmbedToken.getBody());
    
        HttpResponse responseEmbedToken;
        try {                        
            responseEmbedToken = http.send(reqGetEmbedToken);
            System.debug('http send successfully');
            system.debug(responseEmbedToken);
        } catch (Exception error) {
            system.debug('Error Catched');
            System.debug(error);
        }

 

Response code is now 200 and Token is successfully generated,

Dashboard is displaying and filtering is correctly applying.

 

Hooray!

Message 5 of 6
1,057 Views
Anonymous
Not applicable
In response to DanielRamos

‎11-22-2022 04:49 PM

Hi @DanielRamos ,

It's glad to hear that your problem has been resolved. And thanks for sharing your solution here. Much appreciated!

Best Regards 

Message 6 of 6
1,042 Views
Anonymous
Not applicable

‎11-15-2022 10:50 PM

Hi @DanielRamos ,

Please check if you hit any following limitation, you can find the details in this official documentation.

  • The user that generates the embed token has to be a member or admin in both workspaces (the dataset workspace and the report workspace).
  • When generating the embed token, you need to provide a username and a role. If you don't, one of the following will occur, depending on if the token is being generated by service principal or master user:
    • For a service principal, token generation will fail.
    • For a master user, token generation will succeed but the data will not be filtered (all the data is returned).

Best Regards

Message 2 of 6
1,148 Views
0
DanielRamos
Frequent Visitor
In response to Anonymous

‎11-17-2022 12:26 PM

Hi @Anonymous 

 

Thank you for your quick response.

Those settings were configured from beggining: my Service Principal is admin of Workspace, I'm sending the username and roles within the body of my http call to end point.

Interesting thing here is that when I remove any RLS from Dashboard in PowerBi Desktop and Publish, embedding successfully works.

 

Providing more detail, the app I'm deploying seems like uses the GenerateTokenInGroup Api

Is there any compatibility issue with RLS?

 

Thanks in advance

Message 3 of 6
1,114 Views
0
Anonymous
Not applicable
In response to DanielRamos

‎11-21-2022 11:08 PM

Hi @DanielRamos ,

Please check the following limitation when apply RLS,  you can find the details in this official documentation.

  • Service principals cannot be added to an RLS role. Accordingly, RLS won’t be applied for apps using a service principal as the final effective identity.

Best Regards

Message 4 of 6
1,071 Views
0

Helpful resources

Announcements
July PBI25 Carousel

Power BI Monthly Update - July 2025

Check out the July 2025 Power BI update to learn about new features.

Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All