Separate permission for editing variable values without edit on the variables themselves
Creating the variables is often the job of a developer since they are familiar with which variables need to be replaced.
But setting the variable value (ie a database password for the production environment) is typically the duty from an infrastructure/sysops person.
However, a developer doesn't necessarily want somebody from sysops adding or removing variables. Sysops should ONLY be able to edit the value of a variable.
We kind of have this in place by [ab]using variable sets.
Ops are the only folks who have permissions to create and edit variable sets.
Devs then pull in the necessary variable sets for use in their deployments. If they're waiting for them to be cerated/testing stuff, they can just create the same named variables in the project directly.