However, I do second (strongly) your suggestion to create Create/Reply as a separate permissions tier.
There was a lengthy discussion on this a long time ago:
As I mentioned in that discussion, Create/Reply will be ideal for a secured support-ticket system where you don’t want everybody to be able to see other people’s tickets.