Hello,
I have an .Net core website that uses power bi embedded, and I am finding that I am getting this specific error when I am passing an identity to a report with no RLS configured.
{"error":{"code":"InvalidRequest","message":"Creating embed token for accessing dataset 1002bdf6-eeeb-47f8-88d9-eccf616f0da9
shouldn't have effective identity"}}The code segment is below
try
{
var azureTokenData = await _authenticationHandler.GetAzureTokenDataAsync();
using (var powerBiClient = new PowerBIClient(new Uri(_powerBiSettings.MainAddress), azureTokenData.tokenCredentials))
{
var powerBiReport = await powerBiClient.Reports.GetReportAsync(_powerBiSettings.GroupId, id.ToString());
var rowLevelSecurityIdentity = new List<EffectiveIdentity>
{
new EffectiveIdentity("MasterUser", //TODO: Change this to use azure identity
roles: new List<string> {"User"},
datasets: new List<string> {powerBiReport.DatasetId})
};
var powerBiTokenRequestParameters = new GenerateTokenRequest("view", null, identities: rowLevelSecurityIdentity);
var powerBiTokenResponse = await powerBiClient.Reports.GenerateTokenInGroupAsync(_powerBiSettings.GroupId, powerBiReport.Id, powerBiTokenRequestParameters);
return new ReportDetail
{
Id = Guid.Parse(powerBiReport.Id),
Name = powerBiReport.Name,
EmbedUrl = powerBiReport.EmbedUrl,
AccessToken = powerBiTokenResponse.Token
};
}
}
catch (HttpOperationException ex)
{
// Response content contains more specific API error details
_logger.LogError(ex, ex.Response.Content);
throw;
}The current workaround is just to add a 1 role RLS rule with no DAX expression to every report. But I was wondering if I am doing something wrong, since the expected behavior is that if we pass an identity to a report with no RLS it should just ignore the identity and present the report, under the assumption that anyone is supposed to see this report.
Is there some way to avoid this error properly?
Thanks,