Earn a 50% discount on the DP-600 certification exam by completing the Fabric 30 Days to Learn It challenge.
Hello,
I am trying to embed a report with RLS and making sure the user can only view the report, no saving, copying, editing. I have the RLS working, but the embed token is able to be used with viewMode: models.ViewMode.Edit and permissions: models.Permissions.All even though I generate the embed token as "accessLevel": "View" from an azure read-only client_id token.
Let me try to document my process so someone can point out what I'm missing or doing wrong.
Step 1: I successfully make an azure token from POST https://login.windows.net/common/oauth2/token
The json response shows that it is read-only.
{
"token_type": "Bearer",
"scope": "App.Read.All Capacity.Read.All Dashboard.Read.All Dataflow.Read.All Dataset.Read.All Gateway.Read.All Group.Read Metadata.View_Any Report.Read.All StorageAccount.Read.All Workspace.Read.All",
"expires_in": "3599",
"ext_expires_in": "3599",
"expires_on": "1616772529",
"not_before": "1616768629",
"resource": "https://analysis.windows.net/powerbi/api",
"access_token": "eyJ0eXA..."
}
Step 2: https://docs.microsoft.com/en-us/rest/api/power-bi/embedtoken/reports_generatetokeningroup
The permissions requirements listed are met so I make the POST request using the read-only azure token that I received in Step 1 in my Authorization field in the header and making sure to use "accessLevel": "View" in the following request body...
{
"accessLevel": "View",
"identities": [
{
"username": "example@example.com",
"roles": [ "Store Number 1", "Role2" ],
"datasets": [ "asdfasdfasdfasdfasdf" ]
}
]
}
The request works and returns this response below...
{
"@odata.context": "http://wabi-us-central-a-primary-redirect.analysis.windows.net/v1.0/myorg/groups/asdfasdfasdfasdf/$metadata#Microsoft.PowerBI.ServiceContracts.Api.V1.GenerateTokenResponse",
"token": "...",
"tokenId": "...",
"expiration": "2021-03-26T15:28:49Z"
}
note: The embed token received from Step 2 does work and has RLS enforced. I can generate my embed using it just fine.
My Issue(s):
The embed token from Step 2 is able to be used with viewMode: models.ViewMode.Edit and/or permissions: models.Permissions.All.
This isn't secure if someone can just edit their own JS and use either of these properties as Edit or All so I must be missing or doing something wrong which is allowing my embed token to actually have more permissions than I am requesting it to have.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.