When a user has no access to the default workflow state of a content type he will not be able to create items and the content type should not appear in the "Create new" menu.
The menu items should be depending on the role of the user. For example: Authors should only see the option 'Create new article'. This applies only when the WorkflowBundle is loaded. Without the WorkFlowBundle every content type must be shown.
Note: users with ROLE_ADMIN always have access to anything, so they should see everything.
Make sure you install the WorkFlowBundle first: https://bitbucket.org/eactive/integrated-workflow-bundle/overview
Go to Manage - Workflow. Add a new workflow. The new workflow needs a name and some states. For example: Draft and Published. One state needs to be the default. Write permissions for the default state need to be available for specific groups only.
Go to the menu: Manage - Content types. Edit a content type. Choose the Workflow you just created for this content type.
When you log in with a user that does NOT have write permission in the default state the content type should not appear in the "Create new" menu
Note: workflow configuration is saved in ORM (mysql)
The menu is generated in: integrated\content-bundle\Menu\ContentTypeMenuBuilder.php. This is registered as a service. An optional dependency for the service need to be added (http://symfony.com/doc/current/book/service_container.html#making-references-optional). The service need to be written in the WorkflowBundle and the argument in the ContentTypeMenuBuilder must be an interface defined in the integrated-library (maybe a contentTypeList or contentTypeFilter). When the WorkflowBundle is not available the argument will have a null value and all content types must be listed.