When using the audit portion it does look like this is exactly what we needed and it seems to apply the permissions correctly, however, it does not allow the users to create bookmarks, as I have tested this with a standard user account.
We are also noticing that it is not all sheets are behaving in the same fashion. Some of the sheets belong to a different stream, one stream allows users to publish while the other does not. The one that is working allows users to publish.
So the questions are:
What are the least privileges you need to create bookmarks?
Can this be done without allowing unnecessary privileges?
Is there a document discussing the hierarchy to better understand Least-Privilege administration in Qlik?
Basically, there is an issue with sync persistence that means you will need to recycle your services on all nodes due to caching from the repository service.
They provide a way of disabling the caching all together, but we opted not to do this because of how many users we get to log into the system. I believe this was the better route as I didn't want to track making custom changes due to a bug and confirm when I would need to revert. I just make note that services may need to be restarted as we wait for shared persistence. I would also like to add that this was the only time it happened for us, so it is a rare occurrence.