apache
diff --git a/‎api/kogito-api/src/main/java/org/kie/kogito/auth/SecurityPolicy.java
Lines changed: 14 additions & 5 deletions b/‎api/kogito-api/src/main/java/org/kie/kogito/auth/SecurityPolicy.java
Lines changed: 14 additions & 5 deletions
@@ -26,6 +26,8 @@
 import org.kie.kogito.internal.process.workitem.KogitoWorkItem;
 import org.kie.kogito.internal.process.workitem.NotAuthorizedException;
 import org.kie.kogito.internal.process.workitem.Policy;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * Security policy that delivers <code>IdentityProvider</code> to allow to security
@@ -34,6 +36,8 @@
  */
 public class SecurityPolicy implements Policy {
 
+    private static final Logger LOGGER = LoggerFactory.getLogger(SecurityPolicy.class);
+
     private IdentityProvider identity;
 
     /**
@@ -61,6 +65,8 @@ protected SecurityPolicy(IdentityProvider identity) {
 
     @Override
     public void enforce(KogitoWorkItem workItem) {
+
+        String actualOwner = workItem.getActualOwner();
         String actualOwners = (String) workItem.getParameter("ActorId");
         String actualRoles = (String) workItem.getParameter("GroupId");
         String excludedOwner = (String) workItem.getParameter("ExcludedOwnerId");
@@ -71,11 +77,14 @@ public void enforce(KogitoWorkItem workItem) {
             List<String> roles = actualRoles != null ? List.of(actualRoles.split(",")) : new ArrayList<>();
             List<String> userRoles = new ArrayList<>(identity.getRoles());
             userRoles.retainAll(roles);
-            String actualOwner = workItem.getActualOwner();
-            if (actualOwner != null && !identity.getName().equals(actualOwner)) {
-                throw new NotAuthorizedException("this work item " + workItem.getStringId() + " is not allows by this owner" + actualOwner);
-            } else if (!owners.contains(identity.getName()) && userRoles.isEmpty()) {
-                throw new NotAuthorizedException("this work item " + workItem.getStringId() + " is not allows by this owner" + actualOwners + " or " + actualRoles);
+            LOGGER.info("enforcing identity {} and roles {} with potential owners {} and potential groups {} and exclude groups {}",
+                    identity.getName(), identity.getRoles(), owners, roles, excluded);
+            if (!owners.contains(identity.getName()) && userRoles.isEmpty()) {
+                LOGGER.error("not authorized with owner {} against identity {}", actualOwner, identity.getName());
+                throw new NotAuthorizedException("this work item " + workItem.getStringId() + " is not allows by this owner " + actualOwners + " or " + actualRoles);
+            } else if (userRoles.isEmpty() && actualOwner != null && !identity.getName().equals(actualOwner)) {
+                LOGGER.error("identity {} with roles {} not authorized in {}", identity.getName(), identity.getRoles(), roles);
+                throw new NotAuthorizedException("this work item " + workItem.getStringId() + " is not allows by this owner " + actualOwner);
             }
         }
     }