Once an app is published to a stream by an administrator, users in that stream aren't able to access the script. I don't think there's an ability to hide parts of the script at this point in time. Similarly, objects and the expressions in them of published sheets can't be edited. Depending on the security rules in place users within the stream can duplicate a sheet and then access the expressions, but they effectively become content only for that individual unless/until published.
Does that help? I may be misunderstanding the context of your question.
Thank you so much for your prompt reply. Great to hear the script can be made inaccessible...
I really am not very familiar with sense server.
So, after the app is published by an administrator, can certain users add or change the visualizations though? Or is it an all or nothing situation?
Hope the question makes sense.
Yes, once an app is published users with certain default roles, such as ContentAdmin and DeploymentAdmin, can add or change the visualisations. Customised roles can also be created using the security rules engine, this is a very flexible tool for setting up a Qlik Sense environment to suit the way you want to use it. More detail on the default roles can be found here: http://help.qlik.com/sense/en-US/online/#../Subsystems/ManagementConsole/Content/QMC_Entity_Users_DefaultRoles.htm?Highlight=roles