I ran across an issue last week while working on a project. I had set up role based access to certain content items in the Sitecore tree, with inheritance for child items. However, I noticed that users that were members of that role did not have permissions to change the item while that item was in workflow. Using the Access Viewer, I noticed that Write and Delete permissions were not granted to members of the role, shown in the screenshot below.
When I checked the permissions for the item, I had everything correct, with Write and Delete permissions for that role. However, the right panel of the access viewer gave me a clue as to why these permissions weren’t being applied. It mentioned that “Workflow State Write” and “Workflow State Delete” permissions were usurping Write and Delete permissions for the item.
So I went into the workflow and granted the “Workflow State Write” and “Workflow State Delete” permissions for each of my workflow steps. Bear in mind that depending on your workflow requirements, you may want to grant those permissions for some steps, but not to others. For example, you may want to give content authors Write and Delete permissions for the “Draft” state of your workflow, but not to the “Pending Approval” step of your workflow, because you don’t want them modifying or deleting content once it moves to another step in the workflow.
Overall, remember that the right panel in the Access Viewer is very useful, and provides exact information as to why access is being granted or denied to content items.