Polkit rule for systemd template unit files

I'm trying to figure out how to write a polkit rule for a systemd template file. The rule is triggered when I use the actual service that will be instantiated (openvpn-client@miami.service) but not when I leave out the instance identifier string (openvpn-client@.service). Here is the complete working rule: polkit.addRule(function(action, subject) { if ( action.id == "org.freedesktop.systemd1.manage-units") { if (action.lookup("unit") == "openvpn-client@miami.service" && subject.isInGroup("wheel")) { var verb = action.lookup("verb"); if (verb == "start" || verb == "stop" || verb == "restart") { return polkit.Result.YES; } } } polkit.log("action=" + action); polkit.log("subject=" + subject); }); My hunch is that I could use javascript regex to just glob the string between "@" and ".service" but I can't quite figure it out. My vpn provider has many possible servers, each with its own config (referenced by the openvpn-client@.service template unit file), so I'd really like to not have to write a polkit rule for each instance of the template. Thanks a lot! **Update:** I solved this according to my hunch above, using regex to test for template file. This is maybe unsafe? polkit.addRule(function(action, subject) { if ( action.id == "org.freedesktop.systemd1.manage-units") { var instance = /openvpn-client@[a-z]+.service/.test(action.lookup("unit")); if ( instance === true && subject.isInGroup("wheel")) { var verb = action.lookup("verb"); if (verb == "start" || verb == "stop" || verb == "restart") { return polkit.Result.YES; } } } polkit.log("action=" + action); polkit.log("subject=" + subject); });