Question:
How can Vault users, who are not already assigned to a role through Dynamic Access Control, be prevented from being assigned access in a workflow task?
Answer:
Set the Lifecycle Role Allowed Group to blank. This may default to All Internal Users.
Only users who are already assigned in the document's Sharing Settings can be assigned a workflow task using the role.
Follow these steps:
- Navigate to: Lifecycle --> Role --> Allowed Group.
- To remove the current Allowed Group, highlight it.
- Press the backspace key twice.

Related Documentation:
Vault Allowable Groups Documentation: Dynamic Access Control For Documents