The ticket should just authenticate the user to the portal. Then in the Distribution task you can specify the authorized users to open that document in the Publisher task itself, and using section access too. If the user is authenticated but not authorized, this will not see the document, therefore will not be able to open it.
There is a third way going to the QMC and setting manually which groups are able to see what documents, again, even when the user has a ticket, i.e.: has been properly authenticated, will not be able to open a document he is not authorized to.
Hope that helps.