It looks like it would be straight forward on a site where tags are used to grant users rights to streams. This is a pretty good idea for a number of reasons, and it seems reporting on permissions is one also.

Connecting to the API can be done by following this article (note 4244 should be 4242 in one of the screen grabs):
https://support.qlik.com/articles/000038012

These endpoints can then be used to get the information:
https://help.qlik.com/en-US/sense-developer/June2020/APIs/RepositoryServiceAPI/index.html?page=1072
https://help.qlik.com/en-US/sense-developer/June2020/APIs/RepositoryServiceAPI/index.html?page=516
https://help.qlik.com/en-US/sense-developer/June2020/APIs/RepositoryServiceAPI/index.html?page=1079

Note that it would rely on the security rules on the stream being aligned to the tags on the users and the same tags being used on both.

This endpoint gives more results with less code (you need to loop both users and streams using the endpoints above) but authenticating for POST using the Qlik REST connector is more troublesome.
https://help.qlik.com/en-US/sense-developer/June2020/APIs/RepositoryServiceAPI/index.html?page=1322

Hi. It’s not something I have tried to get to, but anything that can be done in the QMC should be possible with the right API calls. Starting with the REST connections would be the easiest point of entry, but I don’t think security rules are exposed like that. I saw a post about looking at the calls the browser makes when displaying QMC pages, such as the audit pages, I will have to find that one out again…