At this point introducing and checking permissions has not been a priority because in most cases this responsibility is assumed by the application (webapp, standalone app) hosting jBPM. Moreover it is very difficult to provide a generic system that does not impact performance and that satisfies every user.
So the way to do this is to define the permissions you want to have in your system, develop your own AuthorizationService and the checkPermission method of this service, and insert calls to this service at the appropriate places in the jBPM code as this service is not yet used for the reasons stated above.

Hope this helps,
Koen

No, it is not based on any standards, just "gezond boeren verstand" (try translating that with any system ;-)) and some academic studies.

Hmm as usual, babelfish messes up: 'healthy farming verstand'. And if you specify 'gezond boerenverstand' it says: 'healthy farmer verse cog' :-)
But indeed, it is not based on any standard. It is there for convenience and if you need something else (more or less powerful) you can easily change it... In the future we will align the identity component with the one used in JBoss Portal.

Regards,
Koen

Because jBPM works right in the app, why have a separate authentication/authorization mechanism from the server?

I assume the reason the big vendors often have a separate identity component is becuase their implementations are often separate from the application server.

The reason is that jBPM is also able to run outside of an app server, e.g. in Tomcat or in a rich client application. But to do interesting things wrt task management and task assignment, you need an identity component. So we provided a default system that is *very* easily changeable by any system provided by some 'big vendor' :-))
The only thing you have to do to implement this is provide your own implementation of a configurable assignment handler.

Regards,
Koen