As described here , to start a QMC Task, "Read" privilege on the task itself and "Update" privilege on the resource the task is associated with is required to give effective permission to start a task.
Not so for new(ish) External Program Tasks - in this case, "Update" permission needs to be applied to the task itself, to allow user to start the task. What this means in practice, is that if I give someone permission to run an External Program Task from QMC, that user can also freely edit the task definition, and effectively run any command on the QlikSense server as administrator (typically). This is obviously a Bad Thing.
The idea is to either create separate "Execute" privilege for External Program Task, or, if it's not something that would fit with security model in QS, follow the usual model for tasks by creating some new type of object that would be associated resource for External Program Task, and update privilege would be required only on this new object type (however, actual command would still have to be defined in the task itself, because user should not be able to mess with it).