WFA by default has 5 role type and one can create either a local user and assign them these roles or use thier AD/LDAP users and assing them these roles.
The lowest level Role is called a Backup Role:
As the name suggest, it allows the one to backup and restore. Its doesnt allow the user to loging to WFA gui but just use the powershell cmdlet to create and restore backups.
The next role is called a Guest Role( I would personally call it Read Only Role):
- Doesnt have access to DesignerTab ( there by CANNOT modify, create or delete any or the workflow or its building blocks)
- Cannot execute a workflows
- Just read only access to Execution and Portal and Client Settings under Administration
The next role is called an Operator Role:
- No access to Designer Tab
- Can Exeute a Workflow
- By default approve any approval point
- Export/Import Worflow
- Backup & Restore
The next role is called Architect
- He can do all of operator
- Has access to designer to create, modify, delete
- View Logs
The user with admin role can do all that architect can Plus
- Create new users
- Run Setup Wizards for DataSources
- Modify WFA Configurations
So by default any user with any of the 3 roles, namely operator, admin and architect can approve a approval point.
But admin and architect can do CURD ( create, read, update and delete) Operations on workflow and its building block.
The operator can approve and execute a workflow, but has no access to Designer.
By default all users with operator role can approve workflow, unless you explicitly go and uncheck under WFA Configuration > Other.
Hope this helps