Reputation: 386
PowerBi Service principals and Row level Security
We are using PowerBi and would like to embed a report in another system. We have set up everything so far and can display the reports with a service principal for several users. However, we only want the users to see their own records, so we have created roles that only display a few records based on the username. This works well in the PowerBi Desktop 'view as'. But when we request the embed token from the other system, we get a 400 response code back. I have read the following(https://learn.microsoft.com/en-us/power-bi/enterprise/service-admin-rls):
Service principals cannot be added to an RLS role. Accordingly, RLS won’t be applied for apps using a service principal as the final effective identity.
Can I then achieve my goal at all, that a large group of users can view a report and only see their own data? Or is that only possible if I create a separate account for each user?
My report without roles can be embedded. That works.
Then I added a role to my report. Role is Owner and DAX is [Owner__c] = USERNAME()
And adjusted the body of the API from:
{
"accessLevel": "View",
"datasetId": "8d72284e-f104-4213-9376-606397b2f838"
}
to
{
"accessLevel": "View",
"allowSaveAs": "false",
"identities": [{
"username": "0015p00005ZSE7wAAH",
"reports": ["7fa1badb-ccb3-45b8-84cb-15e5b2018efa"],
"roles": ["Owner"],
"datasets": ["8d72284e-f104-4213-9376-606397b2f838"]
}]
}
This is a my datatable 
Did I miss a point? Do I need to add someone(who?) to this the role under dataset security?
Why is USERPRINCIPALNAME() or USERNAME() not the id, which I defined in the request body? As soon as I add a role to my report(Dax:[Owner__c] = TRUE) or ([Owner__c] = USERNAME() or even hardcoded [Owner__c]='0015p00005ZSE7wAAH') I get a status code 400
Upvotes: 0
Views: 3367
Answers (2)
Reputation: 89361
The Service Prinicpal is not the "effective identity". The Service Principal generates the embed token, and the embed token specifies the effective identity of the user, which can be an arbitrary string that you use in your RLS filters.
With Row Level Security (RLS), you can choose to use a different identity than the identity of the service principal or master user you're generating the token with. Using this option, you can display embedded information according to the user you're targeting. For example, in your application you can ask users to sign in, and then display a report that only contains sales information if the signed in user is a sales employee.
Generate Embed Token - Row Level Security
See also Row-level security with Power BI Embedded
Upvotes: 0
Related Questions
- Power BI Embedded with Roles, allowing Row Level Security
- Power BI - reports embedded, row level security & refresh rate for customers
- Embedded Power BI: Add Multiple Users in Row Level Security and assign different roles
- Dynamic Row-Level Security in Azure Analysis Services
- Embedding PowerBi for customers with RLS
- PowerBi - Updating a report on the PowerBi Cloud
- Power BI Embedded Row Level Security
- How to implement security in Power BI embedded code?
- Secure filtering in Power BI Embedded
- PowerBI Embedded without AD using data from AAS