Understanding Pipeline Permission Levels: Allowing Execute Without Edit Access

Dear Community, I'm trying to understand the permissions levels for pipelines. My goal is for my user group to load a file into a dedicated project space and execute a pipeline in a second project space where they can execute, but not edit any pipelines. I gave the user group 'Read & Execute', but they can still edit the pipeline. SnapLogic documentation makes it appear that this would be the correct permission. Have I set this up correctly?