QSEoW - Security rules - Use of matches/like with ... - Qlik Community

rzenere_avvale · ‎2025-12-16

Good morning everyone,

I would like to verify with you if, while using QSEoW security rules, it's still not possible to use user attributes (like user.group) with matches or like clauses in this kind of fashion:

resource.name matches "(?user.group|user.name)"
resource.name like "user.group*"

Last kb article I found about this has been last modified in 2019 (Qlik Sense: Can attributes be used with regular expressions or wildcards in a security rule ? ), and I haven't seen any further change on this topic.

Regards,
Riccardo

JanJorissen · ‎2026-05-08

Hi

The following page confirms that security rules support both the like and matches operators, and notes that you must use lower-case letters for the operators and, or, like, and matches — worth keeping in mind

https://help.qlik.com/en-US/sense-admin/November2025/Subsystems/DeployAdministerQSE/Content/Sense_De...

There's also a companion page on Creating security rules:

https://help.qlik.com/en-US/sense-admin/November2025/Subsystems/DeployAdministerQSE/Content/Sense_De...

That page specifically notes that when using a wildcard (*), you must use the like operator instead of =, and that any user properties contained in connected user directories will be shown in the drop-down list.

Some examples:

user.group like "*Admin*"

user.group matches ".*Admin.*"

user.environment.group matches "(Sales|Marketing|Finance)"

rzenere_avvale · ‎2026-05-08

Hey there Jan,
Thank you for your answer but the question is a bit different.
I don't want to use the clauses matches/like with static value (like Admin, Sales, Marketing, ...), but use a dynamic value (read i.e. from the property user.group) and verify if that value is the start/prefix of another property.

Trying to clarify with an example:

my user is part of the groups QlikUsers_RegionalView, QlikUsers_GlobalView,
I have a resource (i.e. a stream) that is called QlikUsers_RegionalView_EMEA
I want to verify, with a generic security rule, if the name of the stream is the "beginning" of one of the groups that I'm assigned to (so if there is at least a group starting with QlikUsers_RegionalView), using only the user attributes (user.group)

Let me know if the question is clearer now,
Riccardo

AnaSilva · ‎2026-05-08

Hi @rzenere_avvale ,

To confirm your suspicion — yes, this is a known limitation. The matches and like operators only accept static strings on the right side. You can't pass user.group as the pattern dynamically, and string concatenation isn't supported either. This hasn't changed since at least 2019 based on community threads on the same topic.

The cleanest workaround for your scenario is to flip the logic: add a custom property to your streams (e.g. GroupPrefix) with the group name as the value, then use a simple equality comparison:

resource.@GroupPrefix = user.group

You lose the "starts with" dynamic check, but you gain a fully supported, scalable rule that stays hands-off as users change groups. Each stream just needs to be tagged with the right value once.

Not ideal if you have many streams, but it's the standard approach for this kind of group-based access in QSEoW.

IPC Global: ipc-global.com

QSEoW - Security rules - Use of matches/like with user attributes

Client Managed