Showing results for 
Search instead for 
Did you mean: 
BaakWu Regular Visitor
Regular Visitor

"shouldn't have effective identity" error when passing identity to embedded report with no RLS



I have an .Net core website that uses power bi embedded, and I am finding that I am getting this specific error when I am passing an identity to a report with no RLS configured.


{"error":{"code":"InvalidRequest","message":"Creating embed token for accessing dataset 1002bdf6-eeeb-47f8-88d9-eccf616f0da9
shouldn't have effective identity"}}

The code segment is below

                var azureTokenData = await _authenticationHandler.GetAzureTokenDataAsync();

                using (var powerBiClient = new PowerBIClient(new Uri(_powerBiSettings.MainAddress), azureTokenData.tokenCredentials))
                    var powerBiReport = await powerBiClient.Reports.GetReportAsync(_powerBiSettings.GroupId, id.ToString());

                    var rowLevelSecurityIdentity = new List<EffectiveIdentity>
                        new EffectiveIdentity("MasterUser", //TODO: Change this to use azure identity
                            roles: new List<string> {"User"},
                            datasets: new List<string> {powerBiReport.DatasetId})

                    var powerBiTokenRequestParameters = new GenerateTokenRequest("view", null, identities: rowLevelSecurityIdentity);

                    var powerBiTokenResponse = await powerBiClient.Reports.GenerateTokenInGroupAsync(_powerBiSettings.GroupId, powerBiReport.Id, powerBiTokenRequestParameters);

                    return new ReportDetail
                        Id = Guid.Parse(powerBiReport.Id),
                        Name = powerBiReport.Name,
                        EmbedUrl = powerBiReport.EmbedUrl,
                        AccessToken = powerBiTokenResponse.Token
            catch (HttpOperationException ex)
                // Response content contains more specific API error details
                _logger.LogError(ex, ex.Response.Content);

The current workaround is just to add a 1 role RLS rule with no DAX expression to every report. But I was wondering if I am doing something wrong, since the expected behavior is that if we pass an identity to a report with no RLS it should just ignore the identity and present the report, under the assumption that anyone is supposed to see this report.


Is there some way to avoid this error properly?



v-micsh-msft New Contributor
New Contributor

Re: "shouldn't have effective identity" error when passing identity to embedded report wit

The report without RLS defined should use the the identity withour the Effective identity.

generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: "view");

The Sample implement the following:

GenerateTokenRequest generateTokenRequestParameters;
                    // This is how you create embed token with effective identities
                    if (!string.IsNullOrEmpty(username))
                        var rls = new EffectiveIdentity(username, new List<string> { report.DatasetId });
                        if (!string.IsNullOrWhiteSpace(roles))
                            var rolesList = new List<string>();
                            rls.Roles = rolesList;
                        // Generate Embed Token with effective identities.
                        generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: "view", identities: new List<EffectiveIdentity> { rls });
                        // Generate Embed Token for reports without effective identities.
                        generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: "view");

The UI has string defined with two Input Boxes, which is used to identify whether it need to generate the Effective Identity.

Which I think you may take a try with a similar way.




BaakWu Regular Visitor
Regular Visitor

Re: "shouldn't have effective identity" error when passing identity to embedded report wit

I see, but this only works if there is no login session at all. What we have is a situation where all employees of a company login into the web application that has Power Bi embedded. There are a certain set of reports that do not have RLS and are available to everyone in the company, yet they still have an Azure AD login session with PrincipalCase including email adresses and such. 


All users would have a username which we would be using the Azure AD Email address, they are defaulted to a generic role of "employee" so there is no case where their username is null or empty, so we end up passing all the identity information to all reports regardless of the report implementing RLS. 


The reports with RLS will embed successfully, but reports that have no RLS will fail to embed since we are passing it identity information that it doesn't need.