The easiest way to control stream access is by using Custom Properties in combination with a Security Rule. You could also do this with a UserDirectory Connector if you have some value say in your ActiveDirectory that you could use in your Security Rule.
How many users do you have and how are they getting loaded into Qlik Sense?
We have successfully integrated ACLs into security rules to restrict stream access. Using AD sync task and appropriate filters, we were able to bring in ACLs/users visibility onto Qlik server and could restrict streams access via security rules for that stream.Like user.group= ACL name for basic identification in rules.