just checked JACC. this is my current line of thinking: a AuthorizationService should be configurable. this service knows how to check permissions. there is already such service in the core sources. not currently used though :-) now when a command is presented to the command execution service, it should check the jbpmContext for the presence of a AuthorizationService. If such a service is present, the command execution service creates a CommandPermission and passes the command-to-be-executed in the constructor of the CommandPermission. Then, the authorization service is asked to check this permission. Now, the authorization service can still decide to map the command to specific permissions. e.g. One impl of the authorization service could map the commands to a set of roles and use jacc EJBRoleRefPermission's or WebRoleRefPermission's before it delegates the authorization check to AccessControlContext or SecurityManager. makes sense ? this approach also allows for the default set up to be without any authorization service and hence without any authorization. easy to get going. but it also allows for flexible authorization based on the current java standards if desired. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4012027#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...