cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Anonymous
Not applicable

Error getting embed token with row level security

Hi All,

 

I am having trouble getting App Only Embed token using C# and also via Postman. 

 

1) I get the OAuth2 Access token for my service principal using App Id and Secret.

2) I try to post on https://api.powerbi.com/v1.0/myorg/groups/{GroupId}/{ReportId}/GenerateToken

 

with the below body:

{
"accessLevel": "View",
"identities": [
{
"username": "UserEmail@Company.com",
"roles": [ "SomeRole" ],
"datasets": ["DatasetId"]
}
]
}

 

Error:

{
"error": {
"code": "InvalidRequest",
"message": "Creating embed token for accessing dataset {DatasetId} requries gateway admin or datasource override effective identity access right"
}
}
4 REPLIES 4
Anonymous
Not applicable

Things that finally worked for us:

 

1) Had to give the service principal the permission "ReadOverrideEffectiveIdentity" by running Microsoft's rest api call with the datasourceId and the gatewayid.

see this link for more info: 

https://docs.microsoft.com/en-us/power-bi/developer/embedded-row-level-security#on-premises-data-gat...

 

The identifier used in the JSON BODY Request is not the Azure AD service principal object Id, turns out that there is a separate identifier for the service principal when it is added to powerBi workspace as an admin.

 

running a rest call to get users on the workspace/report would give the actual identifier.

 

*This is wierd as the documentation doesnot say that, but have raised this concern with microsoft.

2) After this, a normal call to get embed token along with effective identity works fine.

 

 

 

After doing what worked for you (find the service principal identifier using the rest api and give the ReadOverrideEffectiveIdentity permissions to it), now we´re getting a different error: "Only folder user with reshare permissions can generate embed token".  Do you know what might be the cause of this?

Incredible.  Almost a year after your post, I ran into the same issue.  Using the Microsoft sample app, the error was hidden from me.  I only saw 403 Forbidden returned.  Using Postman and APIs to generate an EmbedToken, I then saw the 

"Creating embed token for accessing dataset..."

mentioned above.  Your comment of "The identifier used in the JSON BODY Request is not the Azure AD service principal object Id, turns out that there is a separate identifier for the service principal when it is added to powerBi workspace as an admin." was finding a needle in a hay stack.  You were right!  Once I found the "identifier" of my service principal using the APIs against the Power BI Workspace, I updated the username in my sample app and bam!  I finally executed a successful end to end request.  

 

 

Jayendran
Solution Sage
Solution Sage

Helpful resources

Announcements
PBI User Groups

Welcome to the User Group Public Preview

Check out new user group experience and if you are a leader please create your group!

MBAS on Demand

Microsoft Business Applications Summit sessions

On-demand access to all the great content presented by the product teams and community members! #MSBizAppsSummit #CommunityRocks

MBAS Attendee Badge

Claim Your Badge & Digital Swag!

Check out how to claim yours today!

secondImage

Are You Ready?

Test your skills now with the Cloud Skills Challenge.

Top Solution Authors