Like how attributes can currently be limited to a certain project or issue type, allow for attributes to only be editable by a group or role.
Use case:
We have a "No Charge" boolean attribute, to indicate that time logged should not be charged for. We do not want the users that log this work to be able to set it. We have a role for billing that we want to be able to set or unset this attribute.
Do you also need view permission? I'm considering to implement only editing part of this. I know there may be use cases you don't want others to view what value a worklog attribute is set but it is making handling of worklog attributes a lot more complex. Currently visibility of worklog attribute already depends on a few factors.
In our use case it wouldn't matter if the users that log work could see it or not, just as long as they can't set or unset it.