There are many scenarios in which we want only a particular group of users to be able to change the particular state transition of WI. For example we want only the Testers group to change the Bug WI state from Resolved to Closed, and restrict developers group from changing this state-transition.
This restriction can be achieved by following two steps,
1. Restrict write permissions by placing users in the appropriate security groups (on project level).
2. Now you can restrict which users can perform work item state transitions by modifying the work item type definition and placing "for" and "not" attributes on the state transition. For example:
<TRANSITION from="Resolved" to="Closed" for="[Project]\Testers">