Hi,
From a repository perspective upload and edit are essentially write operations, so they cannot be reflected directly into repository ACLs. If you need to differentiate between these 2, you should consider to use workflows for uploads and deny write access to the DAM for the role1. Then you have to implement the upload via a workflow and you cannot use the nice drag-and-drop features to upload assets to DAM from your desktop. You have to code then your own upload dialog and upload the files to a temp folder, where the workflow is started. That's not a real nice solution, and requires some major work to make it work well.
I don't think, that this requirement is useful, when users have the ability to directly upload images via the authoring UI.
kind regards,
Jörg