Any idea what ACE entry (path, privilege, permission) I should add for a specific group to be able to see (read only) the list of ALL/any active workflow instances?
The list of active instances is under this url http://xxxx:4502/libs/cq/workflow/admin/console/content/instances.html
I added a jcr:read allow permission on the following paths /etc/workflow/instances, /var/workflow/instances for my group but I still can't see the list of active workflow instances.
You can't make it work by manipulating ACEs.
The AEM Workflow Engine supports a notion of a 'superuser' which can access all workflows, started by any user. Regular users can only see the instances they started.
The list of workflow superusers is controlled by com.adobe.granite.workflow.core.WorkflowSessionFactory
You can define a custom group and add it to this list. Then, providing that the user has read permissions on workflow models and instances, and is a member of a supergroup, they should see all the workflows.