You are making this SA script very complex for unknown reason.
It is quite simple
You have your SA table in XL
In your XL in first line add below row
USER, INTERNAL\sa_scheduler *
all the ACCESS field should be USER do not give any one as ADMIN
The field name should NOT be NTNAME.. it should be USERID
For Cost Center, make sure you use case sensitive (all in caps, even the field name) and add the values which you want to restrict within that script, avoid concatenation.
That would be your SA table
Now in your script
Star is *;
Section Application;use below
Here the trick is to also make sure your Fact table has upper for Cost Center..
in your fact use below
Upper([Cost Center]) as COST_CENTER
Now both the name matches in SA table & Fact.. data would be reduced based on that.
If you are an admin then for COST_CENTER field in SA XL table just give * to you and sa_scheduler account.
For rest of the users give your COST_CENTER values you want to restrict.
Better if you can upload your SA XL file?
If you get locked out then right click on the app, open without data.
Are you restricting users based on data or application or stream?
If it is data reduction use Section Access (Please provide your SA xl file)
if it is App restriction use QMC in Security Rules, bit tricky
If it is Stream restrictions, use QMC
Search for Sheet/App/Stream level security in Qlik community.. you'll find lot of post on that,