ACL per category?

Is there a possibility to set the access control lists per category and not only per stream?

We use the category for a simple multitenancy system.So every tenant stream is prefixed with a tenant identifier. The name for a customer aggregate then looks like this:

Tenant A

  • tenanta-customer-7af1d88a-574a-4ffd-a65c-621ed1a5dcfc
  • tenanta-customer-a5fcade5-71e5-4538-89ec-303e5cb0e90b

Tenant B

  • tenantb-customer-bc31b7b7-bdb3-4160-8395-774ae8e922a4
  • tenantb-customer-3745c63e-0297-4e4f-9303-a61416f7174c

So the ACL should allow tenant A only to access all streams starting with “tenanta-" and tenant B the streams with "tenantb-”.

Is there any way to achieve this with the current ACL system? (I saw there was a discussion back in 2016, but without any result).

The alternative would be to use a reverse proxy in front of the eventstore that does the authentication/authorization.