As we have alluded to before, managing permissions directly anywhere other than the portal root is normally a bad idea. Every content object in a Plone site is subject to security, and will in most cases inherit permission settings from its parent. If you start making special settings in particular folders, you will quickly lose control.
However, if settings are always acquired, how can we restrict access to particular folders or prevent authors from editing published content while still giving them rights to work on items in a draft state? The answer to both of these problems is workflow.
Workflows are managed via the
portal_workflow tool. If you view it in the ZMI, you will see a mapping of workflows to content types, ...