For more information on understanding how user roles and permissions are configured, please see Security

The security roles for the application are listed under the Application record, under 'Roles'. When editing a 'Role', create a Permission in that role. The available options will look something like this:

 
You can enter in a name for your  permission in the Memo box - enter anything in here as the end-user will not see it.

One of the options will be 'Approval Workflow Exclusion'. By default all users are excluded from approval workflow. To force approval workflow, this permission must be denied. So you must set the 'Allow / Deny' to 'Deny', and set the 'Approval Workflow Exclusion' to Yes (to apply the denial to that option). 

Once the Role is created, and the application republished, you can go to the User record in the application and add that Role to the user.