Solved: Specifying EffectiveIdentity when Retrieving a Pow...

Elderin · ‎10-21-2017

I work for a SaaS company with multiple customer tenants. Each customer has access to their own data but should never see other customer's data. In order to achieve this, I pass the customer's tenant id as the username when retrieving tokens. That tenant id is then used to filter the report data.

This seems to work well when embedding existing reports but we also want to allow customers to create their own reports via the embedded interface. However, when I specify the EffectiveIdentity and attempt to retrieve a creation token, I get a "Forbidden" error that states that EffectiveIdentities are not allowed for report creation tokens. Without being able to specify the EffectiveIdentity, I'm unable to filter the data and report creators essentially end up having access to data from all tenants.

Is there another way to specify identities for report creation tokens? Please see my current code below (notice how I commented out effective identities when creating the generateTokenParameters). The hardcoded "24" below is the customer tenant id which I'm unable to specify without an error.

                    string roles = "Default";

                    var rls = new EffectiveIdentity("24", new List<string> { this.AppConfig.PowerBI_DataSetId });
                    if (!string.IsNullOrWhiteSpace(roles))
                    {
                        var rolesList = new List<string>();
                        rolesList.AddRange(roles.Split(','));
                        rls.Roles = rolesList;
                    }
                    
                    GenerateTokenRequest generateTokenRequestParameters;
                    generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: TokenAccessLevel.Create, datasetId: this.AppConfig.PowerBI_DataSetId, allowSaveAs:true);//, identities: new List<EffectiveIdentity> { rls });
                    
                    var tokenResponse = await client.Reports.GenerateTokenForCreateInGroupAsync(this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId, generateTokenRequestParameters);
                    
                    // Generate Embed Configuration.
                    model.EmbedConfig.EmbedToken = tokenResponse;
                    model.EmbedConfig.DatasetId = this.AppConfig.PowerBI_DataSetId;
                    model.EmbedConfig.EmbedUrl = string.Format("https://app.powerbi.com//reportEmbed?groupId={0}", this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId);

Eric_Zhang · ‎10-23-2017

@Elderin wrote:

I work for a SaaS company with multiple customer tenants. Each customer has access to their own data but should never see other customer's data. In order to achieve this, I pass the customer's tenant id as the username when retrieving tokens. That tenant id is then used to filter the report data.

This seems to work well when embedding existing reports but we also want to allow customers to create their own reports via the embedded interface. However, when I specify the EffectiveIdentity and attempt to retrieve a creation token, I get a "Forbidden" error that states that EffectiveIdentities are not allowed for report creation tokens. Without being able to specify the EffectiveIdentity, I'm unable to filter the data and report creators essentially end up having access to data from all tenants.

Is there another way to specify identities for report creation tokens? Please see my current code below (notice how I commented out effective identities when creating the generateTokenParameters). The hardcoded "24" below is the customer tenant id which I'm unable to specify without an error.
                    string roles = "Default";

                    var rls = new EffectiveIdentity("24", new List<string> { this.AppConfig.PowerBI_DataSetId });
                    if (!string.IsNullOrWhiteSpace(roles))
                    {
                        var rolesList = new List<string>();
                        rolesList.AddRange(roles.Split(','));
                        rls.Roles = rolesList;
                    }
                    
                    GenerateTokenRequest generateTokenRequestParameters;
                    generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: TokenAccessLevel.Create, datasetId: this.AppConfig.PowerBI_DataSetId, allowSaveAs:true);//, identities: new List<EffectiveIdentity> { rls });
                    
                    var tokenResponse = await client.Reports.GenerateTokenForCreateInGroupAsync(this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId, generateTokenRequestParameters);
                    
                    // Generate Embed Configuration.
                    model.EmbedConfig.EmbedToken = tokenResponse;
                    model.EmbedConfig.DatasetId = this.AppConfig.PowerBI_DataSetId;
                    model.EmbedConfig.EmbedUrl = string.Format("https://app.powerbi.com//reportEmbed?groupId={0}", this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId);

@Elderin

Based on my test, when creating an embedded token for reports creation specifying the attribute identities in the JSON body, it returns error message "Creating embed token for accessing dataset 05dxxxxx9090a4c shouldn't have effective identity". So I think it is not supported at this moment. You can submit your idea at Power BI Ideas and vote it up.

View solution in original post

Eric_Zhang · ‎10-23-2017

@Elderin wrote:

I work for a SaaS company with multiple customer tenants. Each customer has access to their own data but should never see other customer's data. In order to achieve this, I pass the customer's tenant id as the username when retrieving tokens. That tenant id is then used to filter the report data.

This seems to work well when embedding existing reports but we also want to allow customers to create their own reports via the embedded interface. However, when I specify the EffectiveIdentity and attempt to retrieve a creation token, I get a "Forbidden" error that states that EffectiveIdentities are not allowed for report creation tokens. Without being able to specify the EffectiveIdentity, I'm unable to filter the data and report creators essentially end up having access to data from all tenants.

Is there another way to specify identities for report creation tokens? Please see my current code below (notice how I commented out effective identities when creating the generateTokenParameters). The hardcoded "24" below is the customer tenant id which I'm unable to specify without an error.
                    string roles = "Default";

                    var rls = new EffectiveIdentity("24", new List<string> { this.AppConfig.PowerBI_DataSetId });
                    if (!string.IsNullOrWhiteSpace(roles))
                    {
                        var rolesList = new List<string>();
                        rolesList.AddRange(roles.Split(','));
                        rls.Roles = rolesList;
                    }
                    
                    GenerateTokenRequest generateTokenRequestParameters;
                    generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: TokenAccessLevel.Create, datasetId: this.AppConfig.PowerBI_DataSetId, allowSaveAs:true);//, identities: new List<EffectiveIdentity> { rls });
                    
                    var tokenResponse = await client.Reports.GenerateTokenForCreateInGroupAsync(this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId, generateTokenRequestParameters);
                    
                    // Generate Embed Configuration.
                    model.EmbedConfig.EmbedToken = tokenResponse;
                    model.EmbedConfig.DatasetId = this.AppConfig.PowerBI_DataSetId;
                    model.EmbedConfig.EmbedUrl = string.Format("https://app.powerbi.com//reportEmbed?groupId={0}", this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId);

@Elderin

Based on my test, when creating an embedded token for reports creation specifying the attribute identities in the JSON body, it returns error message "Creating embed token for accessing dataset 05dxxxxx9090a4c shouldn't have effective identity". So I think it is not supported at this moment. You can submit your idea at Power BI Ideas and vote it up.