Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Earn a 50% discount on the DP-600 certification exam by completing the Fabric 30 Days to Learn It challenge.

Reply
Anonymous
Not applicable

Forbidden error - while generating embed token with RLS and DirectQuery (SQL server)

‎12-22-2022 02:26 AM

* We are trying to generate embed token for a powerbi document which was RLS enabled and DirectQuery based (SQL server).

 

We are using this below API to generate embed token

POST - https://api.powerbi.com/v1.0/myorg/groups/<groupId>/reports/<reportId>/generatetoken

Payload

 

 

 

 

{
    "accessLevel": "View",
    "identities": [{
        "username": "<email>",
        "roles": ["Custom Role"],
        "datasets": ["<id>"]
    }]
}

 

 

 

 

 

Response:

 

1. If the powerbi report using import query with RLS, it provides embed token

2. If the powerbi report using DirectQuery with RLS, it throws 403 forbidden error.

 

Can you please help us to resolve?

Message 1 of 8
1,184 Views
7 REPLIES 7
v-rzhou-msft
Community Support
Community Support

‎12-22-2022 11:41 PM

Hi @Anonymous ,

 

I suggest you to try refer to this offical blog. There is an example about how to generate embed for direct query report.

For reference:

https://learn.microsoft.com/en-us/rest/api/power-bi/embed-token/generate-token#example-of-generating-an-embed-token-for-a-power-bi-report-with-a-dataset-which-is-connected-with-directquery-to-another-power-bi-dataset.-all-related-dataset-ids-must-be-specified-in-the-request-with-'xmlapermissions'-set-to-'readonly'.-identityblobs-for-all-sso-enabled-data-sources-must-be-provided-in-the-'datasourceidentities'-array

 

And you may refer to below blogs to learn more details about how to generate embed token.

For reference:

Generate an embed token

Embed a report with cloud-based RLS

 

Best Regards,
Rico Zhou

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

 

Message 2 of 8
1,127 Views
0
Anonymous
Not applicable
In response to v-rzhou-msft

‎01-05-2023 10:08 PM

Hi @v-rzhou-msft 

 

Where can i find the identityBlob? What is Microsoft.PowerBI.ServiceContracts.Api.V1.IdentityBlob?

can you help me how to get identityBlob? 

 

{
    "error": {
        "code": "BadRequest",
        "message": "Bad Request",
        "details": [
            {
                "message": "Error converting value \"eyJ__fQ.ey__NH0.kvW__FSjg\" to type 'Microsoft.PowerBI.ServiceContracts.Api.V1.IdentityBlob'. Path 'identities[0].identityBlob', line 30, position 1295.",
                "target": "request.identities[0].identityBlob"
            }
        ]
    }
}
Message 8 of 8
953 Views
0
Anonymous
Not applicable
In response to v-rzhou-msft

‎12-26-2022 10:33 PM

Hi @v-rzhou-msft 

 

Can you please reply for my issue (my previous reply)?

Message 4 of 8
1,061 Views
0
AmosHersch
Employee
Employee
In response to Anonymous

‎12-26-2022 11:31 PM

datasourceIdentities is only relevant when you have a data source with sso enabled. If you don't have such then you don't need to provide your data sources in the request. Just leave it empty

Message 5 of 8
1,052 Views
Anonymous
Not applicable
In response to AmosHersch

‎12-27-2022 12:05 AM

Hi @AmosHersch 

 

Tried the `identityBlob` as empty string, but i got below error again

 

{
    "error": {
        "code": "InvalidRequest",
        "message": "Datasource identity must contain identity blob"
    }
}
Message 6 of 8
1,048 Views
0
AmosHersch
Employee
Employee
In response to Anonymous

‎12-27-2022 12:26 AM

You shouldnt send datasourceIdentities array at all

Message 7 of 8
1,046 Views
0
Anonymous
Not applicable
In response to v-rzhou-msft

‎12-23-2022 12:07 AM

Hi @v-rzhou-msft 

 

Thank you for your reply. In my powerbi document, we are not using azure SQL, we are using our own instance of SQL server. 

 

var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/json");

var raw = JSON.stringify({
  "datasets": [
    {
      "id": "123..",
      "xmlaPermissions": "ReadOnly"
    }
  ],
  "reports": [
    {
      "id": "235.."
    }
  ],
  "datasourceIdentities": [
    {
      "datasources": [
        {
          "datasourceType": "Sql",
          "connectionDetails": {
            "server": "...test.database.windows.net",
            "database": "testdb"
          },
          "datasourceId": "13d...c",
          "gatewayId": "ca1...4"
        }
      ]
    }
  ]
});

var requestOptions = {
  method: 'POST',
  headers: myHeaders,
  body: raw,
  redirect: 'follow'
};

fetch("https://api.powerbi.com/v1.0/myorg/GenerateToken", requestOptions)
  .then(response => response.text())
  .then(result => console.log(result))
  .catch(error => console.log('error', error));

 

I got below error 

 

{
    "error": {
        "code": "InvalidRequest",
        "message": "Datasource identity must contain identity blob"
    }
}

 

But in the powerbi document, the description of the indentityBlob is like below

`A blob for specifying an identity. Only supported for datasets with a DirectQuery connection to Azure SQL`

In my case i am not using AZURE sql. Can you please help us here?

Message 3 of 8
1,121 Views
0

Helpful resources

Announcements
LearnSurvey

Fabric certifications survey

Certification feedback opportunity for the community.

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All