I know what you talking about. I had the same problem.
I developed a custom security role concept and you have to be very careful.
You need to allow the users to see (read App.Object_*) in order to display the diagram.
But if you do this, the creater (from this master visualization) can develop master measure, dimensions and visualization in published apps and normal users can not difference wheater this KPI or Dimension was published from your Qlik Sense Team or from the Creator (whichs created the KPIs and vizualiation)
So you only would give very few people (probably only application owners the right to create kpis, dimensions und vizualtions).
So here is what you gonna need to do.
Resource Filter: App.Object_*
((user.@User_Type="Restricted User" and resource.name like "*ZSM") or and (resource.objectType="masterobject" or resource.objectType="dimension" or resource.objectType="measure")
((user.@User_Type="Restricted User") and (resource.objectType = "sheet" or resource.name="*ZSM") or (resource.objectType="masterobject" or resource.objectType="dimension" or resource.objectType="measure"))
It work's, after adding resource.objectType="sheet".