Thank you for your response. I'm aware of this is a security rule issue. I've created a rule for each stream that gives users access to the concerned stream. The resource for the stream is defined as:
STREAMNAME, App_*, Aoo.Object_*
so each user only can view a specified stream and apps inside it, but the user at the same time can view all other apps in the "Work" folder. This is my problem I need to resolve.
Appreciate your help.
Shouldn't the following script limit access to the unpublished apps to the Developer group (*_Dev_Group)?
Means each developer has access and view right to unpublished apps belonging to his own group
(user.group like "*_Dev_Group") and
(resource.resourcetype="App" and resource.App.stream.Empty()) and
(resource.IsOwned() and resource.owner.group = user.group)
*_Dev_Group are AD groups.