Thanks Stephan / Bas. Set entity access on the Microflow on true and it works.
I was too much focused on the document template itself. But the Microflow who call's that document template pass through the acces rights indeed.
A microflow is normally executed without applying entity access. You can set this to true in the properties window under Security, 'apply entity access'.
Note that not applying entity access in the microflow doesn't mean that the web client will see things it can't see, whatever data is directly sent to the client still is filtered for security, but you can do operations on the server that give you full access (and are faster) in this way. Say for example you want to search for a similar record with a given name, if you'd apply entity access it would not be possible to do such a thing. It does however mean that all server operations executed by that microflow will ignore entity access. For the type of report that is then downloaded for a specific user, you'd turn entity access on.