Group level ACL

Is there a group level ACL respected in Flowable?

The below question is with reference to the Flow Pistols band example where the band members are part of the group “flowpistols” who is authorized to view/claim/act on “Book Transport for Bandgear” task.

If a user, john, is not part of the group flowpistols, will he still be able to view/claim/act on tasks of “Book transport for Bandgear”?

No, this user won’t see the tasks in his inbox nor able to complete it.
Do note that this is done in the REST logic. The java API allows this, and you’d need to add your own logic on top of it if you want something similar.