look at this:
you might need to have 2 different roles for the user - that of 'packager' that can create the package and job, and the role of 'deployer' that can execute the job. and you'd really need a 3rd role that could 'promote' the package.
if the role has job.create and job.execute, i think when they create the job, they will get execute rights as well - double check that though. if that's not the case, they'd create the package and job, then something would run to grant them job.execute on the job. (or whatever the right permission name is)
the script in the kb article does some acl template applications based on a property value set on the package/job to set the permissions appropriately.