It would it be great to limit the ability for users to initiate workflows at the workflow level itself.
Currently, you can only grant workflow permissions at the state's role level. However, it's permission to initiate any workflow. It would be great if in addition to role based permissions, which would give you the right to start any workflow, there was workflow security. By default all users would be allowed to start that workflow if their role allows for it at the applicable state, but it would also allow for overriding default access.
For example, I might want to have workflows that perform regular and super-user functionality. I would want my super users to be able to start all functionality workflows, but my regular users to only have access to the regular functionality workflows.
And to expand on the workflow permissions, a similar approach should be applied to state change permissions. As workflows, the ability to change states is granted at the state's role level and any state actions defined can be invoked. I'd like to see the ability to control that. For example I want users in group x to be able to change to state's a and b while group y can only change to state a.