At this point introducing and checking permissions has not been a priority because in most cases this responsibility is assumed by the application (webapp, standalone app) hosting jBPM. Moreover it is very difficult to provide a generic system that does not impact performance and that satisfies every user. So the way to do this is to define the permissions you want to have in your system, develop your own AuthorizationService and the checkPermission method of this service, and insert calls to this service at the appropriate places in the jBPM code as this service is not yet used for the reasons stated above. Hope this helps, Koen View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3956862#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...