Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

We've captured the moments from FabCon & SQLCon that everyone is talking about, and we are bringing them to the community, live and on-demand. Starts on April 14th. Register now

Reply
olaamigo
Frequent Visitor

Power BI Embedded Composite model embed token with RLS causes OnPremiseServiceException visual error

‎03-23-2026 02:47 AM

i,

I am embedding a Power BI report using GenerateToken (App owns data scenario).

The report is based on a composite model:

Main report dataset

DirectQuery to multiple Power BI semantic models

Some downstream datasets have RLS roles

I generate the embed token using this request body

{

"reports": [

{

"id": "REPORT_ID"

}

],

"datasets": [

{ "id": "DATASET_A", "xmlaPermissions": "ReadOnly" },

{ "id": "DATASET_B", "xmlaPermissions": "ReadOnly" },

{ "id": "DATASET_C", "xmlaPermissions": "ReadOnly" },

{ "id": "DATASET_D", "xmlaPermissions": "ReadOnly" },

{ "id": "DATASET_E", "xmlaPermissions": "ReadOnly" }

],

"identities": [

{

"username": "mock_user@tenant.com",

"roles": ["Read"],

"datasets": [

"DATASET_C",

"DATASET_D",

"DATASET_E"

]

}

]

}

Token gets generated and i tried to spin up in python in local VS code to test the embedding

Notes:

-xmlaPermissions are included because this is DirectQuery to Power BI semantic models

RLS role "Read" exists only on downstream datasets

The main composite dataset does not have RLS

When embedding the report, some visuals fail with:

VisualErrorSeeDetails_OnPremiseServiceException

The report works in Power BI Service and developer playground but fails in embedded in my local server in python

Questions:

  1. Should the main composite dataset also be included in identities.datasets even if it has no RLS?

  2. Do I need anything else ?

  3. Is there any known limitation with composite model + RLS + embed token?

Error text

Unable to retrieve the data for this visual effect. Please try again later.

Please check the technical details for more information. Please provide these details if you contact support.

Hide details

Underlying errorOnPremiseServiceException

Any guidance would be greatly appreciated.

Labels:
Message 1 of 6
377 Views
0
1 ACCEPTED SOLUTION
v-echaithra
Community Support
Community Support

‎03-23-2026 06:06 AM

Hi @olaamigo ,

In addition to including the main dataset in the identity, I would recommend validating the following areas to ensure the security context is resolved correctly across the composite model:

Please confirm that the role "Read" exists across all downstream datasets referenced in the DirectQuery chain. If the role is missing or defined differently in any dataset, it can lead to partial query failures at runtime.

Ensure that all datasets involved in the composite model are included in both:
the "datasets" section of the token request
and the identities.datasets array. This includes the main dataset as well as all referenced semantic models.

Your use of "xmlaPermissions": "ReadOnly" is correct for DirectQuery to Power BI semantic models. Please ensure this is consistently applied to every dataset in the request.

Even if a dataset does not have RLS configured, it still needs to be included in the identity scope. In composite models, Power BI requires a unified identity across all participating datasets to execute queries successfully.


Best Regards.

View solution in original post

Message 4 of 6
300 Views
0
5 REPLIES 5
v-echaithra
Community Support
Community Support

‎03-30-2026 05:05 AM

HI @olaamigo ,

May I ask if you have resolved this issue? Please let us know if you have any further issues, we are happy to help.

Thank you.

Message 6 of 6
193 Views
0
v-echaithra
Community Support
Community Support

‎03-26-2026 01:53 AM

Hi @olaamigo ,

We’d like to follow up regarding the recent concern. Kindly confirm whether the issue has been resolved, or if further assistance is still required. We are available to support you and are committed to helping you reach a resolution.

Thank you.

Message 5 of 6
250 Views
0
v-echaithra
Community Support
Community Support

‎03-23-2026 06:06 AM

Hi @olaamigo ,

In addition to including the main dataset in the identity, I would recommend validating the following areas to ensure the security context is resolved correctly across the composite model:

Please confirm that the role "Read" exists across all downstream datasets referenced in the DirectQuery chain. If the role is missing or defined differently in any dataset, it can lead to partial query failures at runtime.

Ensure that all datasets involved in the composite model are included in both:
the "datasets" section of the token request
and the identities.datasets array. This includes the main dataset as well as all referenced semantic models.

Your use of "xmlaPermissions": "ReadOnly" is correct for DirectQuery to Power BI semantic models. Please ensure this is consistently applied to every dataset in the request.

Even if a dataset does not have RLS configured, it still needs to be included in the identity scope. In composite models, Power BI requires a unified identity across all participating datasets to execute queries successfully.


Best Regards.

Message 4 of 6
301 Views
0
rohit1991
Super User
Super User

‎03-23-2026 04:06 AM

Hii @olaamigo 

 

In a composite model with RLS, all datasets involved in DirectQuery (including the main dataset) must be explicitly included in the embed token identities; otherwise, Power BI cannot resolve security context across datasets, leading to OnPremiseServiceException. Even if the main dataset has no RLS, it should still be added in identities.datasets, and the RLS role must exist consistently across all downstream datasets used in the query.


Did it work? ✔ Give a Kudo • Mark as Solution – help others too!
Message 2 of 6
332 Views
0
olaamigo
Frequent Visitor
In response to rohit1991

‎03-23-2026 04:20 AM

Hi,

 

I updated the embed token request so that the main composite dataset is also included in identities, even though it has no RLS ( the main one )

This is the current mock token payload I am using:

{
"reports": [
{
"id": "REPORT_ID"
}
],
"datasets": [
{ "id": "DATASET_MAIN", "xmlaPermissions": "ReadOnly" },
{ "id": "DATASET_X", "xmlaPermissions": "ReadOnly" },
{ "id": "DATASET_Y", "xmlaPermissions": "ReadOnly" },
{ "id": "DATASET_Z", "xmlaPermissions": "ReadOnly" },
{ "id": "DATASET_W", "xmlaPermissions": "ReadOnly" }
],
"identities": [
{
"username": "mock_user@tenant.com",
"datasets": [
"DATASET_MAIN",
"DATASET_X"
]
},
{
"username": "mock_user@tenant.com",
"roles": ["Read"],
"datasets": [
"DATASET_Y",
"DATASET_Z",
"DATASET_W"
]
}
]
}

However I am still getting the same visual failure:

VisualErrorSeeDetails_OnPremiseServiceException

Message 3 of 6
322 Views
0

Helpful resources

Announcements
New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

Join our Fabric User Panel

Join our Fabric User Panel

Share feedback directly with Fabric product managers, participate in targeted research studies and influence the Fabric roadmap.

March Power BI Update Carousel

Power BI Community Update - March 2026

Check out the March 2026 Power BI update to learn about new features.

View All
Top Solution Authors
View All