The account is the owner of the MD created, and the app which requested the creation of the MD is added to the permissions list when it invokes the quickSetup function in the MD API (or using the put function of the MD API it can specify which permissions to be set for itself in the MD).
So you can restrict access to the MD entries using the MD Permissions and PermissionsSet APIs, and you can set those permissions to specific sign keys (that’d be the app’s sign key you are giving/denying access to), or you can set permissions for any app by providing a null sign key to those APIs (we’ll expose that as constants eventually to make it clearer for the developer).
2 Likes