Hope this helps. You need to create custom properties one belongs to streams and users. Another custom property belongs to App and users.
Each stream will have custom property value. For example lets say you created a custom property called StreamGroup. You have a stream called Testing. Create a value of Testing or something that you can identify that it belongs to Testing stream in StreamGroup Custom property. Once you created assign that value of custom property to Stream. Same thing goes with App also.
Stream values and App values from custom property also applies to user profile. Once this is done you will create universal security rule
Disable Stream security rule in order to have below things work
Name of the Rule : UDR_Stream_StreamAccess_Group (This will give access to Stream )
Resource Filter : Stream_*
Conditions : ((user.@StreamGroup=resource.@StreamGroup))
Name of the Rule : UDR_Stream_App Default Rule (This will give access to App to users and they can see all apps in a stream)
Resource Filter : App*
Conditions : (resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and resource.@AppLevelMgmt.empty()) or ((resource.resourcetype = "App.Object" and resource.published ="true") and resource.app.stream.HasPrivilege("read"))
Name of the Rule : UDR_Stream_App Custom Rule (This will give access to specificApp to users. AppLevelMgmt is custom property for apps. By default if you dont have any restriction in a stream then you dont assign any values to App. In a stream if you want maintain security for each app then you will assign values of that app and to users.)
Resource Filter : App_*
Conditions : resource.stream.HasPrivilege("read") and ((user.@AppLevelMgmt = resource.@AppLevelMgmt ))
We learned it in a hardway to implement these.Security rules is different world to maintain. please test a lot before making available to users.