In Plone we can assign permission roles to user and groups. We also can assign roles based on context. But what many don't know, this is also possible based on group membership and workflow state.
First we need to add some groups we want to manage and assign them to the workflow:
then we can map groups to permission roles for each workflow state: