Well, Just Today I was going through something similar.
One option is if you look at the security rules in QMC, there are already some defined, you can get something out from them.
Another option is to define a new role for this user with the corresponding rights. The help page Security rules example: Recreating a document admin by creating a QMC app admin ‒ Qlik Sense
this should give you some insight...