If you are on the Cloud, you will need to do this in the workflow as the standard Permissions are not 'granular' enough to separate Tasks from Subtasks, etc...
You will need to create a Permissions scheme for the project you want to do this for, as you probably do not want to do this on the default schema.
You will need to create separate workflows for Task vs SubTasks and add validators that check the role of a user before allowing them to perform the Create Transition (You will need to use the following trick - it's not going to be the standard approach)
Now the 'Tricky' part;
Assign an unused permission (for example: one of the time tracking permissions if you use story points) to the PO and another unused permission to the Scrum Master. In the Create Transition Modify the Permission Validator to check for the permission you used instead of the Create Issues permission (this is because the Create Permissions don't care what the issue type is).
There's a write up about this somewhere, if you need more let me know.
I have multiple projects that use variations of the same base workflow. The variations depend on the requirements of the project or issue type. The variations mostly come in the form of new statuses ...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events