Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us for an expert-led overview of the tools and concepts you'll need to become a Certified Power BI Data Analyst and pass exam PL-300. Register now.

Reply
NickHall
Frequent Visitor

Row Level Security with PowerBI Embedded

‎06-05-2020 06:16 AM

Hi,

 

We have several reports that utilise PowerBI Embedded which pull data through an on-premises gateway. This all works great. However, we have reached a stage where we want to use powerbi roles to implement row-level security on a report.

 

Our goal is to attach a role to users on our site, which is then passed through as part of the identity on token creation, corresponding to the roles defined in the powerbi dataset.

 

Following the guide here I managed to create a token with an identity:

 

var generateTokenRequestParameters = new GenerateTokenRequest("View", null, identities: new List<EffectiveIdentity> { new EffectiveIdentity(username: username, roles: new List<string> { role }, datasets: new List<string> { datasetId }) });

var tokenResponse = await client.Reports.GenerateTokenInGroupAsync(groupId, reportId, generateTokenRequestParameters);

This doesn't work however, and returns an error:

Creating embed token for accessing dataset <datasetId> shouldn't have effective identity"

Doing some more research, it seems that I need to attach users to the roles, but due to us using a service principal, there is only one effective user on the report.

 

I've tried attaching the service principal by going to the dataset in the workspace, opening the menu and selecting security. From there I tried typing the service principal in but it just says it's an invalid email.

 

I'm really not sure about how to proceed here, so any help would be greatly appreciated. Thanks!

Labels:
Message 1 of 3
721 Views
0
2 REPLIES 2
nandukrishnavs
Community Champion
Community Champion

‎06-06-2020 01:27 AM

@NickHall 

 

Hope your dataset contains user email ids & your RLS has configured using USERPRINCIPALNAME()

Refer to this blog, for Dynamic RLS configuration.

https://community.powerbi.com/t5/Community-Blog/Dynamic-Row-Level-Security-Dynamic-RLS/ba-p/787399

https://community.powerbi.com/t5/Service/Dynamic-Row-Level-Security-Single-Role-for-all-the-User/m-p...

 

I understand you are using a service principal account, But you have to pass the actual login user's email id in the below code segment. If you have multiple roles, then you have to switch the role name as well.

Example-

username: username@abc.com

role: roleA

var generateTokenRequestParameters = new GenerateTokenRequest("View", null, identities: new List<EffectiveIdentity> { new EffectiveIdentity(username: "username@abc.com", roles: new List<string> { "roleA"}, datasets: new List<string> { "datasetId" }) });

var tokenResponse = await client.Reports.GenerateTokenInGroupAsync("groupId", "reportId", generateTokenRequestParameters);



Did I answer your question? Mark my post as a solution!
Appreciate with a kudos 🙂

 


Regards,
Nandu Krishna

Message 2 of 3
703 Views
NickHall
Frequent Visitor
In response to nandukrishnavs

‎06-08-2020 02:00 AM

Hi, thanks for the reply! I think I'm starting to understand the problem.

 

These reports are being disseminated to users outside of our organisation, and therefore not in our active directory. They are users stored in a SQL database on one of our sites and not in any way tied to MS.

 

Our goal is to have an embedded report that changes its available data depending on the roles of the user logged into the site. An example of this would be siteUserA has roleA. The PowerBI report has some rows of data that only roleA users should see. When siteUserA reaches our embedded report page, it checks their site roles and then does -something- that tells PowerBI what roles they have within the given report.

 

Is this possible with rls? If not, is there an alternative?

 

We have explored creating multiple reports and fetching a different one depending on the role of the user hitting the report page, but this is hugely impractical as we'd need 20+ versions of a single report!

 

Thanks again,

Nick

Message 3 of 3
673 Views
0

Helpful resources

Announcements
July PBI25 Carousel

Power BI Monthly Update - July 2025

Check out the July 2025 Power BI update to learn about new features.

Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All