You can use Delegated admin option. But since you are blocking from certain connections/folders, they will not be able to use promotion management to promote the objects from those folders or connections or users you denied the rights.
Denied rights will take precedence.