Add a (non-administrative) user in a group
Add a workflow and add it to a content type
Add a read right for the added group, but not a write right
Open a document with only read rights
Result: the user can write as well
Note: even removing the read rights allows the user the write (however the document disappears from the content navigator)
Verify app/config/security.yml:
access_decision_manager:
strategy: unanimous