Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.
I am in the "App Owns Data" scenario and am using a master user account (temporarily) to get the access token and to generate the embed token. Eventually, the master user account will be replaced by a service principal.
I am able to embed a report that has been shared with the master user account. But I also have a need to pass a parameter (a six digit number) into the report to perform dynamic RLS. The use of dynamic RLS will allow me to avoid creating 20,000+ roles to perform regular RLS.
CUSTOMDATA() isn't an option for me since I'm not using AAS. But I've seen several references to putting an arbitrary value in the "username" field in the embed token. Then USERPRINCIPALNAME() will be able to retrieve it in a role's DAX.
References for this approach:
https://azure.microsoft.com/en-us/updates/power-bi-embedded-rls-ascii-characater-support/
https://community.powerbi.com/t5/Developer/PowerBi-Embedded-API-Works-with-RLS/m-p/231064#M7285
Sounds great, and just what I need, but unfortunately the REST API rejects my attempt to pull the report when I put the six digit value in the username field. The REST API gives me a 401 Unauthorized response. Looks like my master user UPN must be in the username field in the embed token, otherwise the PBI Service thinks I don't have access to the report.
My question... under what circumstances does the REST API allow the username field to contain the arbitrary parameter value?
Are those allowable circumstances mutually exclusive with my situation (App Owns Data, Master User, etc)? Do I need to authenticate in a different way? Do I need to apply different permissions to the report?
I should mention that we're not using Power BI Embedded. We're using Power BI US Government (rather than the Commercial cloud). Is this feature available only in Power BI Embedded? My client application also has the latest NuGet packages for the client APIs (Microsoft.PowerBI.Api v2.11.0 and Microsoft.PowerBI.Javascript v2.10.1).
Thanks!
Solved! Go to Solution.
FYI. I was able to figure out my issue. Previously, the report was shared with the master user account. This situation required the EffectiveIdentity in the embed token to have the master user username. We couldn't use it for dynamic RLS. Then we moved the report to a workspace for which the master user is an admin. After that, the username could be used for dynamic RLS (i.e., username could contain a value other than the master user username). So that was the difference. Shared reports couldn't use dynamic RLS.
FYI. I was able to figure out my issue. Previously, the report was shared with the master user account. This situation required the EffectiveIdentity in the embed token to have the master user username. We couldn't use it for dynamic RLS. Then we moved the report to a workspace for which the master user is an admin. After that, the username could be used for dynamic RLS (i.e., username could contain a value other than the master user username). So that was the difference. Shared reports couldn't use dynamic RLS.
Hi @pbipbj ,
Sorry, I do not know much about your issue. Maybe you can refer to this post: Power BI Embedded Row Level Security.
Best Regards,
Icey
Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City
Check out the April 2024 Power BI update to learn about new features.