thanks for the reply, that's not really what I am after I'm afraid, not sure if the question wasn't detailed enough.
I have a stream lets say 'Finance', an app lets call is 'P&L' (which is published into the stream) and a user 'Bob'.
When Bob logs onto the hub he should not by default see the stream 'Finance'.
Bob is now added to the security rule for the app 'P&L' and now he should see the stream 'Finance' because he now had access to 'P&L app which is published to the stream
Hopefully that makes more sense
but that will required system admin to add both access for stream and app.
if we can authorization stream base APP, then the mgmt work loading will be more easier
but base my understand in Qliksens SR, it was match rule with resouce one by one,
you can not get the stream object from the app object, and also can not refer to sub-app from stream,
so I think it will not work in this way