MPRs should either have “Grants Permission” ticked, or they should trigger Workflows, but preferably not both.
Separating your MPRs in this way makes the Workflow MPRs very simple: they will mostly be either Set Transition types, or will trigger on requests submitted by “All People”.
The permission to actually make a change is meanwhile controlled by the “Grants Permission” MPRs, and here is where you can put all your complexity about who can do what, and under what circumstances.
You also minimise the risk of SQL duplicate key exceptions; the error that happens when two workflows try to update the same attribute as part of the same request. By separating the MPRs you can model how the change can happen with your Grants Permission MPRs, and then have a single Workflow MPR that responds when the request is made.