i think that can depend on a lot of factors. some determine this by static authorization role. e.g. if you are an 'manager' then you can do that. in other scenarios it might depend on the identity component group membership. e.g. reassignment is only allowed within your team i don't see a single way on how we'll be able to tell who is allowed to assign/reassign a task. so our strategy then is typically to make it pluggable. pluggable authorization is already a part of the command based service methods. the idea is that an authorization interceptor would delegate to some custom configured AuthenticationSession like this: public class AuthorizationInterceptor extends Interceptor { | | public <T> T execute(Command<T> command) { | Environment environment = Environment.getCurrent(); | if (environment==null) { | throw new JbpmException("no environment for verifying authorization"); | } | AuthorizationSession authorizationSession = environment.get(AuthorizationSession.class); | if (authorizationSession==null) { | throw new JbpmException("no AuthorizationSession in environment for verifying authorization"); | } | authorizationSession.checkPermission(command, environment); | // if the authorization check succeeded, proceed | return next.execute(command); | } | | } | but i don't think we have a binding or documentation for this yet. don't think that is a priority. does that answer your question ? View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4230748#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...