After detailed research on Service Subscription, I've decided to develop configuration application to create CSE and M2MServiceSubscriptionProfile. At this application customer can create their own CSE that includes supported resource types and M2MServiceSubscriptionProfile that includes allowed AEs.
Based on payment criteria, incoming requests will be checked to allow or deny according to resource type. I think, there is just one way to do this, M2MServiceSubscriptionProfile will work with particular resource types that is stored in SupportedResourceType property of CSEBase class. This is the default scenario.
But ServiceSubscribedNode doesn't have to contain a CSE-ID as stated xsd document.
<xs:element name="CSE-ID" type="m2m:ID" minOccurs="0" />
It means there is no need to integrate with a customer CSE, an AE can also connect with the system. For instance, a web application(AE) can integrate with the system to use a particular API on the Service Provider. In this case there is no CSEBase for this customer, AE of customer can connect with Service Provider directly so there is no SupportedResourceType property.
How can I decide to allow/deny particular resource type for this case?
The "SupportedResourceType" attribute of the <CSEBase> is a list of resource types that a particular CSE supports. This list might be different for different CSE's through a oneM2M deployment.
The "CSE-ID" attribute in <ServiceSubscribedNode> is optional because the node does not necessarily need to host an own CSE. It can be an ADN (Application Dedicated Node) that connects to the CSE of another node, e.g. a middle node or an infrastructure node. As the spec in table 9.6.20-2 states:
CSE-ID pertaining to this node (for nodes that have a CSE).
The "nodeID" attribute, however, is mandatory. This means, you can identify the hosting CSE through the <Node> resource.
Also note, that resources of type <M2MServiceSubscriptionProfile> and <ServiceSubscribedNode> are hosted on an IN-CSE only.