in hibernate.cfg.xml follow the directions to comment out the user,group and membership objects. Then, you can just delegate the security to your application container and manage access using the container's built in security mechanism. A lot can be discussed about when you should do this and when you should not. It seems to me that because jbpm is really just a jar, a lot of time you can rely on the app server for security. | | <!-- following mapping files have a dependendy on --> | <!-- 'jbpm-identity-{version}.jar', mapping files --> | <!-- of the pluggable jbpm identity component. --> | <!-- comment out the following 3 lines if you don't--> | <!-- want to use the default jBPM identity mgmgt --> | <!-- component --> | <mapping resource="org/jbpm/identity/User.hbm.xml"/> | <mapping resource="org/jbpm/identity/Group.hbm.xml"/> | <mapping resource="org/jbpm/identity/Membership.hbm.xml"/> View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3961123#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...