diff --git a/src/Backend/SolutionErp.Api/Controllers/ApprovalWorkflowsV2Controller.cs b/src/Backend/SolutionErp.Api/Controllers/ApprovalWorkflowsV2Controller.cs
index 4dfe2a7..00a15a2 100644
--- a/src/Backend/SolutionErp.Api/Controllers/ApprovalWorkflowsV2Controller.cs
+++ b/src/Backend/SolutionErp.Api/Controllers/ApprovalWorkflowsV2Controller.cs
@@ -7,11 +7,15 @@ namespace SolutionErp.Api.Controllers;
 
 // Quy trình duyệt MỚI (Mig 22 — Session 17, 2026-05-08).
 // Schema riêng để UAT, KHÔNG đụng WorkflowDefinition cũ.
-// Reuse policy "Workflows.Read"/"Workflows.Create" giống PE/Contract designer
-// — admin đã có quyền quản lý workflow nói chung.
+// Authorization split:
+//   - GET Overview: chỉ cần authenticated — Drafter cần list workflow để pick
+//     lúc create PE/HĐ (read-only, không expose business data nhạy cảm).
+//   - POST/DELETE: policy "Workflows.Create" — admin-only Designer.
+// Bug fix 2026-05-08: trước class-level "Workflows.Read" → Drafter 403 →
+// Workspace dropdown empty silent (không thấy sample workflow đã seed).
 [ApiController]
 [Route("api/approval-workflows-v2")]
-[Authorize(Policy = "Workflows.Read")]
+[Authorize]
 public class ApprovalWorkflowsV2Controller(IMediator mediator) : ControllerBase
 {
     [HttpGet]