well if you don't have a web front end for your application (and you directly managed your process via processId) you still could shield your JBPM DAO with an EJB that manages the authorization process. Otherwise you could perform authorization check inside the AssignMent handler eventually throwing an Exception if not authorized but in my opinion that's not the best choice...... View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4174530#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...