diff --git a/docs/topics/pending_work.rst b/docs/topics/pending_work.rst
index da1a2fd3cf..6445ace184 100644
--- a/docs/topics/pending_work.rst
+++ b/docs/topics/pending_work.rst
@@ -76,11 +76,35 @@ Other
 - Automatically capture license information from installed Python
   packages.
 
+Permissions
+~~~~~~~~~~~
+- Permission should be reciprocal. Example: To be able to add a tag to a
+  document, the user must hold the tag add permission for the document
+  and for the tag to be added. To be able to enable a metadata type to a
+  document type, the user must hold the metadata add permissions for the
+  metadata type and for the document type.
+- Edit type permissions should only grant the ability to edit the properties
+  of an object. To modify its relationship with other objects a reciprocal
+  permission check should be instead.
+
 Sources
 ~~~~~~~
 - Add ACLs support to sources.
 - Provide error message/feedback when scanning from a remote scanner fails.
 - Redirect to the same source when scanning from a remote scanner finishes.
+- Require a permission for document types to avoid a user that has the workflow
+  creation permission to attach a workflow to a document type they don't
+  control.
+- Research making APIWorkflowDocumentTypeList a subclass of documents.api_views.APIDocumentTypeList
+- A POST request to APIWorkflowDocumentTypeList should require some permission
+  on the document type part to avoid adding non controlled document types
+  to a new workflow.
+- To transition a workflow, the transition permission is only needed for the
+  workflow. Make it necesary to have the same permission for the document
+  of document type.
+- To view the transition log, the workflow view permission is only needed for the
+  document. Make it necesary to have the same permission for the workflow or
+  for the transition and the states.
 
 Testing
 ~~~~~~~
diff --git a/mayan/apps/document_states/apps.py b/mayan/apps/document_states/apps.py
index 4afebb54f8..7d5b76b0ff 100644
--- a/mayan/apps/document_states/apps.py
+++ b/mayan/apps/document_states/apps.py
@@ -106,6 +106,9 @@ class DocumentStatesApp(MayanAppConfig):
             ), type_name=['property', 'indexing']
         )
 
+        ModelPermission.register(
+            model=Document, permissions=(permission_workflow_view,)
+        )
         ModelPermission.register(
             model=Workflow, permissions=(
                 permission_error_log_view, permission_workflow_delete,