I faced a similar issue with jbpm 3.2 version. Though this is an older post, found this unanswered. So thought of sharing my solution, so that it helps someone.
The security constraint web.xml under <jboss_root>\default\deploy\jbpm\jsf-console.war is configured
for the role "user" only. So it throws a 403 error if the new user created in the database does not belong to the group "user".
Change it to point to the group that you created.
It has been answered more then once afaik, but the other way around. Instead of chaning the group/role in the web.xml, it was suggested to *also* add a user to the 'user' group.