In order for normal users to receive access to restricted files, it must be the case that only certain authorized "normal" users are to be granted this access -- otherwise, the restricted files might just as well be in any old non-restricted location.

So, if you are managing a list of "authorized normal users", it will be best to have two separate processes: one can be run by normal users and does nothing beyond expressing a request from a normal user to receive one or more restricted files; the other is run only by an admin account, and services these requests from normal users, by checking the authorization list, confirming whether the given user is authorized to receive the requested file(s), and either providing the files or not, depending on what the authorization list says.

But then, you might also have to worry about how you convey the restricted files to recipients, and whether the recipients have the sense and wherewithal to protect the files from unauthorized exposure to others.

The one thing you certainly do not want is for normal users to autonomously use some process that allows admin-level access of any sort. That's asking for trouble.