The ability to “author” reports (create, change, etc.) is controlled by WebI application rights. The ability to view, refresh, schedule is controlled by the folder holding the documents. Get that separation clear in your mind, and the solution becomes (almost embarrassingly) simple.
Go to the application privileges, WebI, and under General rights (not specific rights), override / grant ONLY the right to Log on to Web Intelligence and view this object in the CMC. ALL other rights should remain Not specified. By the way, if you look in the spreadsheet attached to the Mere Mortals presentation, you will see this on the App rights - Refresh custom access level.
Now go to the folder rights, and you can choose view, refresh, schedule as needed.
Dwayne Hoffpauir 
(BOB member since 2002-09-19)