no. there is no way to specify authorization in the process language. and hence there are no authrorization checks. but there is authentication. things like logs require authentication. to keep track of who did what. the JbpmContext has a property actorId. JbpmContext delegates to an AuthenticationService to get the actorId. The simplest way to get the actorId in the JbpmContext is to use jbpmContext.setActorId(String). An idea could be to implement a JaasAuthenticationService. That one could look up the subject from the current thread, take the main principal and get its name. That principal name could be used as the actorId in the JbpmContext. This will work for WS requests. But I don't know if this will work for other requests like ejb invocations and web requests. I'm not even sure if authentication is required all the time. If you have time, it could be an option to explore. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4126470#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...