cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Anonymous
Not applicable

Error getting embed token with row level security

Hi All,

 

I am having trouble getting App Only Embed token using C# and also via Postman. 

 

1) I get the OAuth2 Access token for my service principal using App Id and Secret.

2) I try to post on https://api.powerbi.com/v1.0/myorg/groups/{GroupId}/{ReportId}/GenerateToken

 

with the below body:

{
"accessLevel": "View",
"identities": [
{
"username": "UserEmail@Company.com",
"roles": [ "SomeRole" ],
"datasets": ["DatasetId"]
}
]
}

 

Error:

{
"error": {
"code": "InvalidRequest",
"message": "Creating embed token for accessing dataset {DatasetId} requries gateway admin or datasource override effective identity access right"
}
}
4 REPLIES 4
Anonymous
Not applicable

Things that finally worked for us:

 

1) Had to give the service principal the permission "ReadOverrideEffectiveIdentity" by running Microsoft's rest api call with the datasourceId and the gatewayid.

see this link for more info: 

https://docs.microsoft.com/en-us/power-bi/developer/embedded-row-level-security#on-premises-data-gat...

 

The identifier used in the JSON BODY Request is not the Azure AD service principal object Id, turns out that there is a separate identifier for the service principal when it is added to powerBi workspace as an admin.

 

running a rest call to get users on the workspace/report would give the actual identifier.

 

*This is wierd as the documentation doesnot say that, but have raised this concern with microsoft.

2) After this, a normal call to get embed token along with effective identity works fine.

 

 

 

After doing what worked for you (find the service principal identifier using the rest api and give the ReadOverrideEffectiveIdentity permissions to it), now we´re getting a different error: "Only folder user with reshare permissions can generate embed token".  Do you know what might be the cause of this?

Incredible.  Almost a year after your post, I ran into the same issue.  Using the Microsoft sample app, the error was hidden from me.  I only saw 403 Forbidden returned.  Using Postman and APIs to generate an EmbedToken, I then saw the 

"Creating embed token for accessing dataset..."

mentioned above.  Your comment of "The identifier used in the JSON BODY Request is not the Azure AD service principal object Id, turns out that there is a separate identifier for the service principal when it is added to powerBi workspace as an admin." was finding a needle in a hay stack.  You were right!  Once I found the "identifier" of my service principal using the APIs against the Power BI Workspace, I updated the username in my sample app and bam!  I finally executed a successful end to end request.  

 

 

Jayendran
Solution Sage
Solution Sage

Helpful resources

Announcements
Power BI December 2021 Update_carousel 768x460.jpg

Check it Out!

Click here to read more about the December 2021 Updates!

User Group Leader Meeting January 768x460.png

Calling all User Group Leaders!

Don't miss the User Group Leader meetings on January, 24th & 25th, 2022.

Jan 2022 Dev Camp 768x460 copy.png

Power BI Dev Camp- January 27th, 2022

Mark your calendars and join us for our next Power BI Dev Camp!

Top Solution Authors
Top Kudoed Authors