nutshell .. at least till alfresco adopts a real workflow solution.
if you want to have container based workflows with transitions to states (containers ) that the transition actor / principal does not have access to you, you'll need to bypass the security system. you can either utilize an unproxied nodeservice or runtime swap users to the system account via the authenticationcomponent bean. these are the recommened solutions found on the forums. however, the unproxied services are generally of use imho only when you have a reference handy to the destination container, else resolving a handle to the destination can is problematic ( for path based destinations, fileservice delegates to search which filters results based on access, unless you query directly to an unproxied search service ). ie. the more objects/services you need to touch to determine and move the content to the destination the harder an unproxied approach is. the runtime user swap, whatever its architectural shortcomings, is the past of least resistance.
