I am looking for some advice on changing our security setup. Like most QV installs we are using Windows authentication (NTFS) with active directory groups securing our Distributed QlikView Documents and then many of our documents are also using Section Access.   Because we are dealing with a fairly large user base, we are looking at a way to automate some our security to avoid the need to do manual updates to AD groups. Questions:

1. Is there a downside to opening up a document to a larger group if using strict section access to control what data can be seen?  In other words open up a document to 1000 users even though only 100 have the section access authority to see the data.  
2. What are the options of setting up a hybrid approach?   If an AD group is assigned check the user against it, if the user is not found in the AD group, check something like SAP roles? In this approach we could set up the non SAP users for authorization and the SAP users would be based on their roles?
3. Web Ticketing.   There is some great documentation on Web ticketing but it appears to be an all or none solution that would need implemented across the server.   We are a clustered environment as well. Can folks give their feedback on their success or failures  in implementing web ticketing in a large clustered complex environment?