I am trying to create QMC organizational admin roles for my power users to do publishing of their apps.

I have created the custom property for each stream by division.

Criteria 1: The user must be a Division Admin

Criteria 2: The user can publish any application belong to that division OR any application created by them

Criteria 3: The user can only publish in the division stream which the user belongs to

Security Rule (A)

((user.roles="DivisionAdmin")

and (resource.@Company_Division=user.@Company_Division or resource.owner.name=user.name)

and (resource.stream.@Company_Division=user.@Company_Division)

and (resource.resourcetype="App" or resource.resourcetype="App.Object"))

Action: Create, Read, Update, Delete, Publish

Security Rule (B)

I have another security rules which gives read access of users to individual stream. (Governed by custom property)

Criteria 1: The user can read any stream as long as given access to

My security rule goes like this:

((resource.@Company_User_Stream_View=user.@Company_User_Stream_View))

Action: Read, Publish

Following this thread, Re: Can't publish a sheet‌, I am able to resolve the issue of missing publish button.

However, I am not able not able to restrict my power users to publish applications in certain streams only. (i.e. Rule A, Criteria 3)

Please advise, if you know the solution. Thanks in advance!