found solution:
1. creating custom workflow under /conf/global/setting/workflow/model/projectname/workflowmodel(projectname is sling:folder with mixinType: rep:AccessControllable
2. create worfkflow model above folder and sync
3. created runtime workflow under /var/workflow/model/projectname/workflowmodel
4. goto useradmin console update permission specific group(allow/deny) to workflowmodel in /var/workflow/model/projectname/workflowmodel