1. Documents are made available by adding documents to the root folder or mounting a folder (System > Setup >Folders). The content of these folders will displayed on the Acces Point providing the user has the right permissions.. QlikView will out of the box use windows file security to handle permissions so users will only se documents that they have at least read rights to (this can be set on folder or document level). In addition to this access can be granted or denied ny using Section Access or using QlikView Publisher to handle distribution, this will set access on file level using either windows security NTFS or by setting the server/publisher to run in DMS mode. In DMS mode QlikView will handle access to the documents and not windows. This is very simple way of explaining it, there is a bit more to it than this but i think this might point you in the right direction.
2. CALs are typically assigned to Named users and will be tethered to that user. If a user has a Named CAL then that user will be able to open and use QlikView documents (providing they have permissions, se above). If you are using Document CALs then these are assigned on the document level within the QMC (Documents tab). Again these are Named licenses and are tethered to a Named user and also tethered to a document. Depending on how you are allocating your CALs then users may or may not be able to open documents depending on availability or assignment of CALs. Again this all depends on if they have permissions to the documents or not.
3. I would recommend attending the Systems Administrator (Server/Publisher) course where all this and a lot more is covered.
When placing the Server in DMS mode access rights are assigned to each document either by using Publisher to assign the rights when distributing (this is dine on the distribution tab on the task) or by assigning access rights directly on the document (this is done on the documents tab > User Documents > authorization).
In both cases you have the possibility of assigning to All Authenticated or Named Users/Groups.
Security Collaboration will happen in Qlikview across 3 levels - Document / Publisher / QVS level authorization.
You can apply certain user restrictions at Document level using Section Access. At the next level you could use Publisher for authorization of reduced documents to different users. the last level done at QVS (can be NTFS / DMS) for each user documents.
As Nils pointed out you could assign to either All Authenticated Users or Named User/Groups at both Publisher & Server level.