Thank you for you answer, it's very helpfull, but i'm still facing a problem: i've in production lots of streams and apps, and when i disable the Security rule "Stream", my users canno't see the apps, so, how can i create this security levels without disturb the users?
The basic consept of the security rule "Stream" is that you have access to all apps in the stream.
It is possible to do what you want, but not out-of-the-box.
You need to duplicate the default "Stream" rule, and then disable the default "Stream" rule. In your new rule, make an exception for the stream in question.
My approach was to do this generic by creating a custom property for all streams. The property gives true/false on generic stream rule or an app-specfic rule.
You then need to adapt your new rule to this property.
In addition create rules for the specific apps in the stream.
Because you only have two apps it's easy to do this with two rules, but if you have a lot of apps, I would suggest that you create another level of security with a second custom property for apps and then make rules based on that.