This is Qlik Sense - there is no concept of CALs. I guess you've given the user as "User Access" Token.
Apps are published in streams so the easiest way to do this is to limit access to a stream.
If you go to Streams and then look in the Sytem rules, you can set up specific user (or groups etc) access to each stream. So if you wanted to limit access to a section of apps, then it's the access to streams you need to look at.