I'm getting stuck between a best practice / security logjam and I'm hoping someone can help.

We have Issue Security enabled with two levels (A & B). Managers and Team members can see both, Customers can only see A. The Issue Security Scheme default value is A for all issues.

The Set Issue Security permission allows Managers and Team members to set the issue security AND remove issue security. 

Workflow Transition Validations do not support Security Level field, so I cannot check that Issue Security is not blank (i.e. removed).

Making Security Level required breaks Forms in Work Management (unsupported required field error) and causes Issue Quick Add options throughout the project to force a Create Issue pop-up instead. If only Summary & Security Level are required and Security Level has a default value, it can be quickly added with the pop-up by double-pressing Enter, but that's still not really desired. It doesn't remove the UI option of Removing Issue Security, but it does prevent it from affecting the issue with an error prompt, which is acceptable.

How could I allow user-triggered changes in Security Level, keep issue security from being removed by those same users, and NOT set Security Level to Required?

I think the best answer would be to have the permission scheme updated to provide separate permission options for Set issue security from scheme options and Enabling and Removal of Issue Security so that Managers and Team members with the former can interact and set the values on issues, and then only Admins and Managers are set to the latter, to keep from regular Team Members from circumventing security completely.

As near as I can tell, that's not even a suggestion yet, so I'm looking for an alternative in the meantime.

Thanks!