Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
Elderin
Frequent Visitor

Specifying EffectiveIdentity when Retrieving a PowerBI Embedded Report Creation Token

‎10-21-2017 03:39 PM

 

I work for a SaaS company with multiple customer tenants.  Each customer has access to their own data but should never see other customer's data.   In order to achieve this, I pass the customer's tenant id as the username when retrieving tokens.  That tenant id is then used to filter the report data.

 

This seems to work well when embedding existing reports but we also want to allow customers to create their own reports via the embedded interface.  However, when I specify the EffectiveIdentity and attempt to retrieve a creation token, I get a "Forbidden" error that states that EffectiveIdentities are not allowed for report creation tokens.  Without being able to specify the EffectiveIdentity, I'm unable to filter the data and report creators essentially end up having access to data from all tenants.

 

Is there another way to specify identities for report creation tokens?  Please see my current code below (notice how I commented out effective identities when creating the generateTokenParameters).  The hardcoded "24" below is the customer tenant id which I'm unable to specify without an error.

 

                    string roles = "Default";

                    var rls = new EffectiveIdentity("24", new List<string> { this.AppConfig.PowerBI_DataSetId });
                    if (!string.IsNullOrWhiteSpace(roles))
                    {
                        var rolesList = new List<string>();
                        rolesList.AddRange(roles.Split(','));
                        rls.Roles = rolesList;
                    }
                    
                    GenerateTokenRequest generateTokenRequestParameters;
                    generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: TokenAccessLevel.Create, datasetId: this.AppConfig.PowerBI_DataSetId, allowSaveAs:true);//, identities: new List<EffectiveIdentity> { rls });
                    
                    var tokenResponse = await client.Reports.GenerateTokenForCreateInGroupAsync(this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId, generateTokenRequestParameters);
                    
                    // Generate Embed Configuration.
                    model.EmbedConfig.EmbedToken = tokenResponse;
                    model.EmbedConfig.DatasetId = this.AppConfig.PowerBI_DataSetId;
                    model.EmbedConfig.EmbedUrl = string.Format("https://app.powerbi.com//reportEmbed?groupId={0}", this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId);

 

Labels:
Message 1 of 2
4,555 Views
0
1 ACCEPTED SOLUTION
Eric_Zhang
Microsoft Employee
Microsoft Employee

‎10-23-2017 01:22 AM
@Elderin wrote:

 

I work for a SaaS company with multiple customer tenants.  Each customer has access to their own data but should never see other customer's data.   In order to achieve this, I pass the customer's tenant id as the username when retrieving tokens.  That tenant id is then used to filter the report data.

 

This seems to work well when embedding existing reports but we also want to allow customers to create their own reports via the embedded interface.  However, when I specify the EffectiveIdentity and attempt to retrieve a creation token, I get a "Forbidden" error that states that EffectiveIdentities are not allowed for report creation tokens.  Without being able to specify the EffectiveIdentity, I'm unable to filter the data and report creators essentially end up having access to data from all tenants.

 

Is there another way to specify identities for report creation tokens?  Please see my current code below (notice how I commented out effective identities when creating the generateTokenParameters).  The hardcoded "24" below is the customer tenant id which I'm unable to specify without an error.

 

                    string roles = "Default";

                    var rls = new EffectiveIdentity("24", new List<string> { this.AppConfig.PowerBI_DataSetId });
                    if (!string.IsNullOrWhiteSpace(roles))
                    {
                        var rolesList = new List<string>();
                        rolesList.AddRange(roles.Split(','));
                        rls.Roles = rolesList;
                    }
                    
                    GenerateTokenRequest generateTokenRequestParameters;
                    generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: TokenAccessLevel.Create, datasetId: this.AppConfig.PowerBI_DataSetId, allowSaveAs:true);//, identities: new List<EffectiveIdentity> { rls });
                    
                    var tokenResponse = await client.Reports.GenerateTokenForCreateInGroupAsync(this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId, generateTokenRequestParameters);
                    
                    // Generate Embed Configuration.
                    model.EmbedConfig.EmbedToken = tokenResponse;
                    model.EmbedConfig.DatasetId = this.AppConfig.PowerBI_DataSetId;
                    model.EmbedConfig.EmbedUrl = string.Format("https://app.powerbi.com//reportEmbed?groupId={0}", this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId);

 

@Elderin

Based on my test, when creating an embedded token for reports creation specifying the attribute identities in the JSON body, it returns error message "Creating embed token for accessing dataset 05dxxxxx9090a4c shouldn't have effective identity". So I think it is not supported at this moment. You can submit your idea at Power BI Ideas and vote it up.

View solution in original post

Message 2 of 2
5,431 Views
0
1 REPLY 1
Eric_Zhang
Microsoft Employee
Microsoft Employee

‎10-23-2017 01:22 AM
@Elderin wrote:

 

I work for a SaaS company with multiple customer tenants.  Each customer has access to their own data but should never see other customer's data.   In order to achieve this, I pass the customer's tenant id as the username when retrieving tokens.  That tenant id is then used to filter the report data.

 

This seems to work well when embedding existing reports but we also want to allow customers to create their own reports via the embedded interface.  However, when I specify the EffectiveIdentity and attempt to retrieve a creation token, I get a "Forbidden" error that states that EffectiveIdentities are not allowed for report creation tokens.  Without being able to specify the EffectiveIdentity, I'm unable to filter the data and report creators essentially end up having access to data from all tenants.

 

Is there another way to specify identities for report creation tokens?  Please see my current code below (notice how I commented out effective identities when creating the generateTokenParameters).  The hardcoded "24" below is the customer tenant id which I'm unable to specify without an error.

 

                    string roles = "Default";

                    var rls = new EffectiveIdentity("24", new List<string> { this.AppConfig.PowerBI_DataSetId });
                    if (!string.IsNullOrWhiteSpace(roles))
                    {
                        var rolesList = new List<string>();
                        rolesList.AddRange(roles.Split(','));
                        rls.Roles = rolesList;
                    }
                    
                    GenerateTokenRequest generateTokenRequestParameters;
                    generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: TokenAccessLevel.Create, datasetId: this.AppConfig.PowerBI_DataSetId, allowSaveAs:true);//, identities: new List<EffectiveIdentity> { rls });
                    
                    var tokenResponse = await client.Reports.GenerateTokenForCreateInGroupAsync(this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId, generateTokenRequestParameters);
                    
                    // Generate Embed Configuration.
                    model.EmbedConfig.EmbedToken = tokenResponse;
                    model.EmbedConfig.DatasetId = this.AppConfig.PowerBI_DataSetId;
                    model.EmbedConfig.EmbedUrl = string.Format("https://app.powerbi.com//reportEmbed?groupId={0}", this.UserSession.CurrentUser.Organization.PowerBIWorkspaceId);

 

@Elderin

Based on my test, when creating an embedded token for reports creation specifying the attribute identities in the JSON body, it returns error message "Creating embed token for accessing dataset 05dxxxxx9090a4c shouldn't have effective identity". So I think it is not supported at this moment. You can submit your idea at Power BI Ideas and vote it up.

Message 2 of 2
5,432 Views
0

Helpful resources

Announcements
Power BI DataViz World Championships

Power BI Dataviz World Championships

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now!

December 2025 Power BI Update Carousel

Power BI Monthly Update - December 2025

Check out the December 2025 Power BI Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All