Security Rules - Access stream if have access to app
I was wondering if it is possible to let users only see streams they have an app in. Without having to maintain their stream access in another list. In other words, it should be one simple rule, not forcing me to maintain all streams listed somewhere.
I am importing users with attributes, which I can then tie to apps:
User: John (has a user attribute named "appAccess" with a value of "ABC")
App: ABC resides in the Sales stream
So I'd like to create a rule that allows John to see the Sales stream because he has access to the App inside.
The rule for app access is simple: Resources: Apps_* (user.appAccess=resource.Name)
I do not want another user to be able to see the Sales stream, unless they can see an app inside.