The identity package in jBPM is very rudimentary and it doesn't look like it fully supports hierarchical groups yet.
Your best shot might be to bring your own implementation of the IdentityService Interface, you should look at the
IdentityServiceImpl.findGroupsByUser() method, right now it doesn't return any "sub-groups" (you called them
"functional roles") the databse table for the groups (JBPM4_ID_GROUP) already contains a link to the parent
groups... But maybe it's best to work with a "real" identity component instead of using the jBPM tables...
I'm playing with LDAP, and I'll try to develop my idea using it.
But, I would know if people with more experience working with process consider a good idea or maybe there is another configuration for manage easily users, roles/groups and process.