jBPM leaves the actual authentication and authorization to your own application but can use external sources with user data for task assignment etc. This is achieved by providing the possibility to plug-in your own user management. To boil it down to the briefest summary: There is an interface which can be implemented and thus replace the example implementation. Search the forum for this and take a look at the documentation. A ready-to-use implementation to access a directory service is not supplied by jBPM itself but it can be easily achieved and if you search the forum you will find an implementation for LDAP which can be used for Active Directory.