Showing results for 
Search instead for 
Did you mean: 

Embedded View only token is able to be used for editing


I am trying to embed a report with RLS and making sure the user can only view the report, no saving, copying, editing. I have the RLS working, but the embed token is able to be used with viewMode: models.ViewMode.Edit and permissions: models.Permissions.All even though I generate the embed token as "accessLevel": "View" from an azure read-only client_id token.


Let me try to document my process so someone can point out what I'm missing or doing wrong.


Step 1: I successfully make an azure token from POST

The json response shows that it is read-only.

    "token_type": "Bearer",
    "scope": "App.Read.All Capacity.Read.All Dashboard.Read.All Dataflow.Read.All Dataset.Read.All Gateway.Read.All Group.Read Metadata.View_Any Report.Read.All StorageAccount.Read.All Workspace.Read.All",
    "expires_in": "3599",
    "ext_expires_in": "3599",
    "expires_on": "1616772529",
    "not_before": "1616768629",
    "resource": "",
    "access_token": "eyJ0eXA..."

Step 2:

The permissions requirements listed are met so I make the POST request using the read-only azure token that I received in Step 1 in my Authorization field in the header and making sure to use "accessLevel": "View" in the following request body...

    "accessLevel": "View",
    "identities": [
            "username": "",
            "roles": [ "Store Number 1", "Role2" ],
            "datasets": [ "asdfasdfasdfasdfasdf" ]

The request works and returns this response below...

    "@odata.context": "$metadata#Microsoft.PowerBI.ServiceContracts.Api.V1.GenerateTokenResponse",
    "token": "...",
    "tokenId": "...",
    "expiration": "2021-03-26T15:28:49Z"

note: The embed token received from Step 2 does work and has RLS enforced. I can generate my embed using it just fine.


My Issue(s): 

The embed token from Step 2 is able to be used with  viewMode: models.ViewMode.Edit and/or permissions: models.Permissions.All.


This isn't secure if someone can just edit their own JS and use either of these properties as Edit or All so I must be missing or doing something wrong which is allowing my embed token to actually have more permissions than I am requesting it to have.

Status: New
Community Support


It is secure, please have a look this document:





Frequent Visitor

Thanks for the reply @v-lili6-msft ,


I understand there is a secure way to do it but I am having trouble doing it or are misunderstanding something. I have attached a screenshot using API from the url you commented. It allows the user to see all the field names, data source names and gives the user the "editing" interface and options. There are options to save, but they result in this error. I want to at least make sure that the error is definitely caused because the embed token used doesn't have readwrite.all and only has read.all access. I need to make sure it's not a fluke that the report can't be saved and that I can rely on it to always fail for the user.