I tried it today on 3.0.2. It's not working for me. Not sure of what I'm doing wrong yet. I'm very close because when I do an audit, I get a yellow result for the app that has the same custom property value as my test user.
My Stream Rule:
Resource Filter: App*
Conditions: (resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and resource.@AppLevelMgmt.empty()) or ((resource.resourcetype = "App.Object" and resource.published ="true") and resource.app.stream.HasPrivilege("read"))
My Exception Rule:
Resource Filter: App_*
Conditions: ((resource.stream.HasPrivilege=("read")) and (user.group=resource.@AppLevelMgmt))