Hi,
yes, you are right. My intention was to provide a simple yet quite usable way of getting hold of user information while starting/signaling process instance.
What you described is much wider in scope and touches authorization. I meant just to give a possibility to process designers to decide if they are interested in having user information not storing it automatically, at least not at this point.
In addition, any other request information could be provided together with user info, such as additional request parameters, remote host information, headers, etc.
Cheers,
Maciej