Missing access to some AppWorkspace APIs

[FrankPreusker]

To some of the APIs under "AppWorkspace" I have access, to others not - as listed below Access: Workspaces, Workspace Users, Dashboards, Dashboard Tiles, Reports, Dataflows, Dataflows Datasources, Upstream Dataflows No Access: Datasets, Dataset Sources, Dataset To Dataflow Links, Refresh History, Refresh Schedule My understanding was, that all of the AppWorkspace APIs should be working without PBI admin authorization, but they don't for me. Can you please help me to understand, which settings need to be done? I'm not a PBI admin myself, but can work with our admin to eventually make the right settings :-) I'm using the latest version of the connector. Thanks

[migueesc123]

The best suggestion that I can give is to check the official documentation of the REST API directly from Microsoft. You can check with something like fiddler the url being used by the connector to get your data and if it fails then you'll get a 4xx error, so you'll know what urls to look for in the documentation.

Perhaps this is one of the calls that you're trying to make: https://docs.microsoft.com/en-us/rest/api/power-bi/datasets/get-datasets-in-group

At the very top it shows the required scopes for each call:

Unfortunately, we don't have any control over the REST API, so if things change tomorrow the best way to look at what changed (perhaps a new scope is needed) is by looking directly at the official documentation.

I'm leaving the ticket open in case @klinejordan wants to add anything.

[klinejordan]

Can you be more specific about what "no access" means? Are you getting error messages? Do you have any screenshots?

[FrankPreusker]

Hi @klinejordan , The error message is simply saying 'forbidden access':

Interestingly I'm able to run the same API via the Microsoft documentation page: https://docs.microsoft.com/en-us/rest/api/power-bi/datasets/get-datasets-in-group. I have specified a groupId (aka workspace id) and it retrieved all datasets of that workspace in json format.

Obviously, there is a difference using the API via the website vs with this connector. Are you able to help on this?

[migueesc123]

@FrankPreusker you'll need to check what specific error message and error code you're receiving from the REST API. You could use something like Fiddler to trace those calls and see exactly what's happening.

I'd start there and see exactly what could be happening. Are you using your own Application for the authentication ? or are you using the latest version of the connector that uses the MSFT provided authentication ?

[migueesc123]

Also, forgot to mention that the connector doesn't handle anything related to permissions or scopes.

Anything related to permissions and scopes is handled by the Application that the connector is using. If you're using the latest version of the connector then that's an application provided directly by MSFT. You can read more about how that works from the link below: https://docs.microsoft.com/en-us/power-query/handlingauthentication#azure-active-directory-authentication

We do not have any control over how that application handles or restricts certain components or how it interacts with your specific tenant.

it's hard to guess what could be happening, hence why I recommend checking the traces / calls that you're making to the REST API and check what responses you're getting and go from there.

I'm closing this one, but I'll let @klinejordan chime in - hopefully he has some suggestions.

[FrankPreusker]

@migueesc123 Thanks for your reply! I'm using the latest version of the mez connector + the latest August release of PBI Desktop. I don't have experience with Fiddler, but will do some research on it. I just really don't understand, why parts of the RestAPI calls are working and other do not (all non-Admin, as posted in the original message). If I find something relevant, I'll post again here.

[migueesc123]

It could be that you are not set up as the admin of your tenant and therefore you don't have access to all datasets from all workspaces? It's hard to say what the real issue is, but something like fiddler (doesn't have to be fiddler - any proxy will do) would be able to tell you what's the call that's failing and you can go from there.