If it were me I'd create a publish package and mount it under ETP and grant people read access to that instance if you'd like them to view publish stats, write to allow them to publish and admin to allow them to admin the publish system. I think that it's cleaner and works better with the existing permission model. You could write the code in such a way that an ETP publish package mounted on a subsite can publish any ETP package below it.
