Define the permissions used by the workflow to 'View'( to view the object ),
'Modify portal content' ( to modify all information on the object) 'Access Content Information'
( to access/ to view all data saved on the object), 'Add Portal Content'
(add actions on the document) and 'Delete objects' (delete sub-objects).
This allows you to redefine those permissions for each workflow states
of the document. Refer to ERP5 Security Guidelines in order to learn more about