Thank you for your reply Ronald, I am surprised to see authorization is not implemented in jBPM. We're not using the web front end for task management so we'll have an API that will be called passing in a Process Instance Id and userid to signal the token to move onwards. Is there another way to prevent unauthorized users from executing task they're not authorized to. I think we need to implement authorization at the jBPM layer because we need to prevent the following scenario. User A (employee) creates a purchase order (Task 1) User B (another employee at same level as user A, User A NOT allowed) to check purchase order (Task 2) User C (manager) approves the purchase order (Task 3) We are planning on assigning swimlanes to each of these tasks. Then we'll use the expression assignment handler to work out that User A or B can do Task 1, and Task 2 can't be carried out by same user a Task 1. Then Task 3 will have another swimlane (Manager). I've seen the documentation on the expression assignment handler syntax, is there any worked examples to view? How would you recommend we implement this? Thanks, Phil View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4173678#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...