We have setup a couple of custom permission levels on our 2010 Enterprise site, one for document authors and the other for document approvers, however those users who are in the authors group can send the approval workflow to themselves and then approve the document thus bypassing the official processes.
Has anyone come across this before? I was under the impression that you needed to have the approve permission to be able to approve documents otherwise what would be the point in the additional permission level.
If this is by design, is there a way to check if the assigned user has the correct permission level as a first step in the workflow and then allow/stop the workflow from continuing.
We have to have the additional check due to the heavily regulated industry we operate in, our users must not have the ability to self approve documents, telling them they are not allowed to is not good enough.