JIRA supports the ability to customise the workflow by defining new actions but there is no way of applying security to these actions by the use of permissions.
What is required is the ability to define custom permissions which can be checked by the workflow. For example:
If the workflow defines a custom action "Promote Issue to Test" then there should be an associated permission called "Promote Issues to Test" so that only users with the appropriate permission can execute the action. Currewently the interim workaround is to allow only the current assignee to exceute any custom actions.