Each workflow instance in Alfresco works against a document, the start task "submit" the document, the other tasks in the workflow might add another document, edit attached document, remove attached document and only allowed to read the attached document. This behaviour is set in the workflow model by overriding bpm:packageActionGroup and bpm:packageActionItemGroup.
List of action groups available by default :
allow viewing of package items
above + allow modification (edit, checkout, ...) of package items
above + allow removal of package items
allow removal (but not modification) of package items
allow addition of new package items
Sample model definition which overrides the default action.
I guess this is enough for now.