There are a couple of ways to do this from the code. The easiest method is to restrict the workflow buttons to certain groups.

For example:

<button string="Mark Won" groups="group_sales_manager" />

Putting a "groups = '' " arguement on any field or button within your XML definitions restricts those items to just the groups listed. You can add multiple groups by comma-separating them.

The second method isn't as straight forwards and probably not recommended but might be more flexible. You can override the write method for whatever entity you are on and perform some checks. E.G.

def write(self, cr, uid, ids, vals, context={}):
    if 'state' in vals and vals['state'] == 'won':
        ## Perform your checks on user groups here
        ## If the person is not a sales manager, show them an error message
        dummy,group_id = dataobj.get_object_reference(cr, 1, 'base', 'group_sales_manager')
        user = self.pool.get('res.users').browse(cr, uid, uid)
        if group_id not in user.group_ids:
           ## Raise your error message
           raise osv.except_osv(_('Error Message Title'), _("You are not a sales manager and so you are not allowed to win this thing"))
    return super(entity_you_are_working_on, self).write(cr, uid, ids, vals, context)

The above isn't an accurate piece of code but it gives you an idea of what you can do to control access and workflow. I wouldn't particularly recommend it for general purpose as it can become a real pain to maintain if you have lots of function overrides, but it can be powerful.