cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
pbipbj
Frequent Visitor

Using "username" field in embed token for dynamic RLS

I am in the "App Owns Data" scenario and am using a master user account (temporarily) to get the access token and to generate the embed token. Eventually, the master user account will be replaced by a service principal.

 

I am able to embed a report that has been shared with the master user account. But I also have a need to pass a parameter (a six digit number) into the report to perform dynamic RLS.  The use of dynamic RLS will allow me to avoid creating 20,000+ roles to perform regular RLS.

 

CUSTOMDATA() isn't an option for me since I'm not using AAS. But I've seen several references to putting an arbitrary value in the "username" field in the embed token. Then USERPRINCIPALNAME() will be able to retrieve it in a role's DAX.
References for this approach:
https://azure.microsoft.com/en-us/updates/power-bi-embedded-rls-ascii-characater-support/
https://community.powerbi.com/t5/Developer/PowerBi-Embedded-API-Works-with-RLS/m-p/231064#M7285

 

Sounds great, and just what I need, but unfortunately the REST API rejects my attempt to pull the report when I put the six digit value in the username field. The REST API gives me a 401 Unauthorized response. Looks like my master user UPN must be in the username field in the embed token, otherwise the PBI Service thinks I don't have access to the report.

 

My question... under what circumstances does the REST API allow the username field to contain the arbitrary parameter value?

 

Are those allowable circumstances mutually exclusive with my situation (App Owns Data, Master User, etc)?  Do I need to authenticate in a different way?  Do I need to apply different permissions to the report?  

 

I should mention that we're not using Power BI Embedded.  We're using Power BI US Government (rather than the Commercial cloud).  Is this feature available only in Power BI Embedded?  My client application also has the latest NuGet packages for the client APIs (Microsoft.PowerBI.Api v2.11.0 and Microsoft.PowerBI.Javascript v2.10.1).

 

Thanks!

1 ACCEPTED SOLUTION
pbipbj
Frequent Visitor

FYI.  I was able to figure out my issue.  Previously, the report was shared with the master user account.  This situation required the EffectiveIdentity in the embed token to have the master user username.  We couldn't use it for dynamic RLS.  Then we moved the report to a workspace for which the master user is an admin.  After that, the username could be used for dynamic RLS (i.e., username could contain a value other than the master user username).  So that was the difference.  Shared reports couldn't use dynamic RLS.

View solution in original post

2 REPLIES 2
pbipbj
Frequent Visitor

FYI.  I was able to figure out my issue.  Previously, the report was shared with the master user account.  This situation required the EffectiveIdentity in the embed token to have the master user username.  We couldn't use it for dynamic RLS.  Then we moved the report to a workspace for which the master user is an admin.  After that, the username could be used for dynamic RLS (i.e., username could contain a value other than the master user username).  So that was the difference.  Shared reports couldn't use dynamic RLS.

View solution in original post

Icey
Community Support
Community Support

Hi @pbipbj ,

Sorry, I do not know much about your issue. Maybe you can refer to this post: Power BI Embedded Row Level Security.

 

Best Regards,

Icey

Helpful resources

Announcements
PBI_User Group Leader_768x460.jpg

Manage your user group events

Check out the News & Announcements to learn more.

Power BI October Update 2021.jpg

Power BI Release

Click here to read more about the October 2021 Release!

Community Connections 768x460.jpg

Community & How To Videos

Check out the new Power Platform Community Connections gallery!

Teds Dev Camp Oct. 2021 768x460.jpg

Power BI Dev Camp - October 28th, 2021

Mark your calendars and join us for our next Power BI Dev Camp!