IT could be that in a future release jBPM will also check the roles. It did this in 2.0, but was not a major priority for 3.0
but FYI, i would also like to add that these checks should be built into the user interface.
the UI *must* have that knowledge anyway, or otherwise the UI starts offering command options that result in "sorry, but you are not allowed to push this button".... then why show the button ?!
if you put that verification in the process (which can be done), you always end up in a situation where you provide buttons that may not be clicked.
oh, I totally agree. But in many cases (at least for the process states, tasks etc.) You can either see/execute that task or not. It is not the case that user A can only trigger transition 1 and not transition 2 on the same state , while user b can trigger both.