Restricting who can merge a pull request

Hi, I need help with repository access permissions. The workflow that I am trying to achieve is the following: engineers are allowed to clone, submit and review pull requests to a repository but only QA is allowed to merge a pull request.

Currently, both engineers and QA have administrative permissions on the repository. What is the appropriate permission that engineers should have on a repository?