Believe the prior partner is spot on with their observation, strict exclusion is likely the issue in that if there are no values associated with a particular row related to the reduction fields, that would in turn lock out the user... I would recommend reviewing the following Design Blog post for starters:
Note, there are some additional links at the bottom of that one, two related to dynamic data reduction which you will also need to review. The one thing you likely want to do here is the following piece noted in the post above:
A good way to debug your Section Access is to temporarily remove the Section Access statement and run the script. The authorization table will then be visible in the data model and you can make selections in NTNAME.
You do this by commenting the Section Access; line of the script, which will then load your security table into the normal data model such that you can then add a list box for the NTNAME field and select a user to see what appears in the other key list boxes/fields as far as available selections, as if things are greyed out, then you know you have a problem in the model somewhere if they should be able to see some values etc. We are working on getting a short video put together to demo this to better understand, but hopefully this will make sense in the meantime.
To help users find verified answers, please do not forget to use the "Accept as Solution" button on any post(s) that helped you resolve your problem or question.
I now work a compressed schedule, Tuesday, Wednesday and Thursday, so those will be the days I will reply to any follow-up posts.