I have setup a test AD user and when the signed on as the user a shared report has RLS via roles working correctly. When using the same report (dataset) and using the EffectiveIdentity function it does not. Only the roles have an effect on the filter rows. If I use an invalid user, the rows filtered are the same as if I sent a valid user. Additionally if I change which roles are passed the data set changes for any user.
I suspect I have something setup or coded wrong.
I was under the impression that the embedded RLS took the username (domain\upn) and used Azure ADFS for any AD groups the user belongs to and used the dataset roles to see what groups and/or direct user mappings exist and then showed the resulting filtered rows. That is how it works using the report on a shared dashboard signed on as the test user.
Snippet from App owns Data: I am using the base gitHub code.
var datasets = await client.Datasets.GetDatasetByIdInGroupAsync(GroupId, report.DatasetId);
result.IsEffectiveIdentityRequired = datasets.IsEffectiveIdentityRequired;
result.IsEffectiveIdentityRolesRequired = datasets.IsEffectiveIdentityRolesRequired;
GenerateTokenRequest generateTokenRequestParameters;
// This is how you create embed token with effective identities
if (!string.IsNullOrEmpty(username))
{
var rls = new EffectiveIdentity(username, new List<string> { report.DatasetId });
if (!string.IsNullOrWhiteSpace(roles))
{
var rolesList = new List<string>();
rolesList.AddRange(roles.Split(','));
rls.Roles = rolesList;
}
// Generate Embed Token with effective identities.
generateTokenRequestParameters = new GenerateTokenRequest(accessLevel: "view", identities: new List<EffectiveIdentity> { rls });
}