The easiest way is to create new privileges "mysubsite-user" and "mysubsite-admin". This can be achieved e.g. by defining a method with the name privilege=creator=mysubsite-user for e.g. ::xowiki::Page. The new method should return either 0 or 1 to signal if this user this predicate should be true. You have full control over what you want to check here. Then define a new policy and use the new newly defined privileges where wherever desired.
To see an example for defining a privilege, look at the method "privilege=creator" in xotcl-core/tcl/cr-procs.tcl, and look for a usage example into xowiki/tcl/package-procs.tcl at policy5, where the "creator" is used.
hope this helps