I am in the "App Owns Data" scenario and am using a master user account (temporarily) to get the access token and to generate the embed token. Eventually, the master user account will be replaced by a service principal.
I am able to embed a report that has been shared with the master user account. But I also have a need to pass a parameter (a six digit number) into the report to perform dynamic RLS. The use of dynamic RLS will allow me to avoid creating 20,000+ roles to perform regular RLS.
CUSTOMDATA() isn't an option for me since I'm not using AAS. But I've seen several references to putting an arbitrary value in the "username" field in the embed token. Then USERPRINCIPALNAME() will be able to retrieve it in a role's DAX.
References for this approach:
https://azure.microsoft.com/en-us/updates/power-bi-embedded-rls-ascii-characater-support/
https://community.powerbi.com/t5/Developer/PowerBi-Embedded-API-Works-with-RLS/m-p/231064#M7285
Sounds great, and just what I need, but unfortunately the REST API rejects my attempt to pull the report when I put the six digit value in the username field. The REST API gives me a 401 Unauthorized response. Looks like my master user UPN must be in the username field in the embed token, otherwise the PBI Service thinks I don't have access to the report.
My question... under what circumstances does the REST API allow the username field to contain the arbitrary parameter value?
Are those allowable circumstances mutually exclusive with my situation (App Owns Data, Master User, etc)? Do I need to authenticate in a different way? Do I need to apply different permissions to the report?
I should mention that we're not using Power BI Embedded. We're using Power BI US Government (rather than the Commercial cloud). Is this feature available only in Power BI Embedded? My client application also has the latest NuGet packages for the client APIs (Microsoft.PowerBI.Api v2.11.0 and Microsoft.PowerBI.Javascript v2.10.1).
Thanks!
