Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The FabCon + SQLCon recap series starts April 14th at 8am Pacific. If you’re tracking where AI is going inside Fabric, this first session is a can't miss. Register now

Reply
jaymishra
New Member

Issue with Embed Token Generation and RLS in Composite Model (Upstream/Downstream Datasets)

‎03-25-2026 05:25 AM

We are using a composite model structured as follows:

  • Parent Dataset (Upstream)
  • Child Dataset (Composite / DirectQuery)
  • Report (Embedded)

    We are encountering issues with embed token generation and data visibility under different RLS configurations:

    • When RLS is applied on the downstream (child) dataset, embed token generation fails with the error:
      “Creating embed token with effective identity is not supported for this datasource.”
    • When RLS is applied on the upstream (parent) dataset, the embed token is generated successfully; however, the embedded report does not display any data.
    • When no RLS is applied on either dataset, the embed token is generated successfully, and the embedded report displays data as expected.
Labels:
Message 1 of 4
446 Views
0
1 ACCEPTED SOLUTION
Juan-Power-bi
Memorable Member
Memorable Member

‎03-26-2026 07:21 AM

This is a well-known limitation with embedding and composite models that trips up a lot of developers. Let me break down each of your three scenarios:
Scenario 1 — RLS on downstream (child) composite dataset → token fails
This is by design. When generating an embed token with effective identity (GenerateTokenRequestV2), the RLS identity must be specified against the report's direct dataset — and for composite models, if that dataset references another dataset via DirectQuery, the embed token API doesn't support applying effective identity to the downstream/child dataset directly. The error message is essentially telling you that the datasource type (another Power BI dataset in composite mode) can't be the target of an embed token identity.
Scenario 2 — RLS on upstream (parent) dataset → token works but no data
This is the trickier one. The embed token generates fine because you're correctly targeting the upstream dataset. But no data shows because the service principal or master account used to generate the token needs explicit access to the upstream dataset too. In composite embedding scenarios, you must include both datasets in your GenerateTokenRequestV2 call — the report's dataset AND the upstream dataset it queries — and provide the effective identity for the upstream one.
Your token generation request should look like this:
json{
"reports": [{ "id": "<report-id>" }],
"datasets": [
{ "id": "<child-dataset-id>" },
{
"id": "<parent-dataset-id>",
"xmlaPermissions": "ReadOnly",
"effectiveIdentity": {
"username": "user@domain.com",
"roles": ["YourRLSRole"],
"datasets": ["<parent-dataset-id>"]
}
}
]
}
The key things to check: the service principal must have at least Build permission on the upstream dataset, both dataset IDs must be included in the datasets array, and the effectiveIdentity must reference the upstream dataset's ID.
Scenario 3 — No RLS → works fine confirms the architecture is correctly set up; it's purely a token + identity configuration issue

View solution in original post

Message 2 of 4
349 Views
0
3 REPLIES 3
v-prasare
Community Support
Community Support

‎04-06-2026 05:34 AM

Hi @jaymishra,

We would like to confirm if our community members answer resolves your query or if you need further help. If you still have any questions or need more support, please feel free to let us know. We are happy to help you.

 

 

 

Thank you for your patience and look forward to hearing from you.
Best Regards,
Prashanth Are
MS Fabric community support

Message 4 of 4
118 Views
0
v-prasare
Community Support
Community Support

‎03-30-2026 03:16 AM

Hi @jaymishra,

We would like to confirm if our community members answer resolves your query or if you need further help. If you still have any questions or need more support, please feel free to let us know. We are happy to help you.

 

@Juan-Power-bi, thanks for your prompt response.

 

 

Thank you for your patience and look forward to hearing from you.
Best Regards,
Prashanth Are
MS Fabric community support

Message 3 of 4
282 Views
0
Juan-Power-bi
Memorable Member
Memorable Member

‎03-26-2026 07:21 AM

This is a well-known limitation with embedding and composite models that trips up a lot of developers. Let me break down each of your three scenarios:
Scenario 1 — RLS on downstream (child) composite dataset → token fails
This is by design. When generating an embed token with effective identity (GenerateTokenRequestV2), the RLS identity must be specified against the report's direct dataset — and for composite models, if that dataset references another dataset via DirectQuery, the embed token API doesn't support applying effective identity to the downstream/child dataset directly. The error message is essentially telling you that the datasource type (another Power BI dataset in composite mode) can't be the target of an embed token identity.
Scenario 2 — RLS on upstream (parent) dataset → token works but no data
This is the trickier one. The embed token generates fine because you're correctly targeting the upstream dataset. But no data shows because the service principal or master account used to generate the token needs explicit access to the upstream dataset too. In composite embedding scenarios, you must include both datasets in your GenerateTokenRequestV2 call — the report's dataset AND the upstream dataset it queries — and provide the effective identity for the upstream one.
Your token generation request should look like this:
json{
"reports": [{ "id": "<report-id>" }],
"datasets": [
{ "id": "<child-dataset-id>" },
{
"id": "<parent-dataset-id>",
"xmlaPermissions": "ReadOnly",
"effectiveIdentity": {
"username": "user@domain.com",
"roles": ["YourRLSRole"],
"datasets": ["<parent-dataset-id>"]
}
}
]
}
The key things to check: the service principal must have at least Build permission on the upstream dataset, both dataset IDs must be included in the datasets array, and the effectiveIdentity must reference the upstream dataset's ID.
Scenario 3 — No RLS → works fine confirms the architecture is correctly set up; it's purely a token + identity configuration issue

Message 2 of 4
350 Views
0

Helpful resources

Announcements
New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

Join our Fabric User Panel

Join our Fabric User Panel

Share feedback directly with Fabric product managers, participate in targeted research studies and influence the Fabric roadmap.

March Power BI Update Carousel

Power BI Community Update - March 2026

Check out the March 2026 Power BI update to learn about new features.

View All