I am finally able to call the the rest web services. The last little nugget that I didn't find documented was adding password to com.netiq.rbpm.response-types in ism-configuration.properties. The rest apis also do not work for uadmin, but I'm okay with that for now. I assume it might be because of the basedn used to search for the user.

Anyways, my issue now is how do I control authorization to these REST web services? I've been testing with two different user who have different rights. Some REST services are blocked for my "standard" user, but others are not and I can't seem to find the reason. The SOAP call authorizations were controlled through config files. For example, authorization to the SOAP calls to the Role service were controlled by modifying the Role-Service-conf/config.xml file. I use the word "controlled" loosely. You can only open up particular services to only admin or all users. Access to the services really needs to be per user or group or something that allows for more fine grained control.

Does anybody know how to authorize access to individual REST web services?

Thanks.