With R80.10 Security Management (Gateway version doesn't matter for this), you can create a custom workflow by keeping separation between the administrators who make changes, and the administrators who only install policies.
(For some of our customers, this reason alone was enough to upgrade to R80.10!)
All admins can still call "Verify Policy" in order to check for possible rule-hide-rule situations.
Permissions are enforced at the Management Server, which means that API connections will keep the same permission settings as the ones accessed through SmartConsole UI.
Create a custom Permission Profile from Manage & Settings-->Permissions & Administrators-->Permission Profiles.
Make sure to assign this permission profile to one of the administrators. Find this under Manage & Settings-->Permissions & Administrators-->Administrators.
This is how SmartConsole looks like for someone with permission to only install policy: