Hi Tom, okay, the idea sounds nice. As a Java-EE guy JACC is new to me, but no problem :-) Okay, I found the AuthorizationService (-Interface). I haven't found any good informations on the "EJBRoleRefPermission", not even with Google! But okay, to get it working with JAAS should not be a big deal. I will try that and come back, if there are any problems. One problem I just want to pass to you Tom: Can you add the AuthorizationService to the jbpmContext? Or shall I try to do that by myself? And one problem remains: How we do the mapping between commands and roles? Going by Command-Name is not the best idea, I think. 2 other ideas: - introduce a mapping-file (CommandName, required-roles) - add the method to the CommandInterface as suggested The first one is maybe more flexible, but to have everything in java more handy. And special solutions (like "this guy is only allowed for processes of that organizational unit") has to be implemented by hand anyway. So I would prefer the second way, but what do you prefer for that? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4013051#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...