In JBPM, If a task is assigned to the swimlane 'Boss' , a actor who is not a member of swimlane 'Boss' can end the taskinstance too . Is that right?
Then are there any authorization mechanism on task execution in JBPM?
no, just in the webapp. There is a jira issue (searhc for iand vote for it) for this to have some kind of authorization mechanism in jbpm