If my company wants a certain role to be able to edit Main level department only on POs would that be best done in a workflow? They want them to have no other edit rights on POs, just being able to change the department.

I'd probably create a custom PO form for them and restrict them to that form. Slightly easier IMO and more flexible for the future, should they suddenly decided they need to have that person also edit other fields. A workflow or scripting might be more appropriate depending on the implications of other/new fields accidentally being edited and what other permissions that that role has, but unless there's apocalyptic implications, I think a custom form is the ideal way to go.

Also note that custom forms in NS are not isolated to the user, even when set as preferred. On a transaction form, if a previous user used a form the restricted user does not have access to, but they have edit permissions on the transaction, they will see the other form. An additional workflow can be used to set the form upon entry for the restricted role to the restricted form.

Even if you set the form as "Restricted" on the role? I thought that disabled access to the other forms.

I went through this with support a few years ago and the only true prevention was a workflow to prevent it... the form is not tied to the role but to the transaction... as such once an existing transaction has a form associated with it, the next user to access that form will view/edit that transaction in the associated form, regardless of permission. We created workflows to set the form upon entry to the preferred form for that role. Once reloaded the other forms not allowed are not available.

Very interesting! Is that only if you only have the "store form with record" option selected? Or any time someone saves the record using a different form? I knew that form restrictions weren't like actually baked into the security architecture, so I figured there were ways to get around it if someone was really clever, but I thought it was a little more robust than that for users only accessing the records directly through the UI.