MultiChain does not yet support this kind of multitenant security directly – if an external process has access to the JSON-RPC API, it can use any of the keys in that node's wallet.
The solution for this kind of scenario is to hold the private keys outside the wallet. We have a tutorial for this, but it requires alpha 28, to be released hopefully in the next few days:
Still you should also note that any of these clients can wreak a ton of havoc with the functioning of the node, if they have access to its API. So in any event you still probably want some kind of bridge in the middle to support specific operations, instead of giving them direct API Access.