There is documentation how define users and groups that are allowed to start Process but there are no attributes or documentation for how to do that for case definition.
CMMN 1.1 specs talk about Roles but mostly for human tasks. Sentries and everything else is only evaluated when instance is created so it can not be that.
Do I need wrap case into a process just to get the user right defined for who can start the case ?
The Flowable engines only add this information as metadata (e.g. assignee, owner, participant, etc.). However, these aren’t enforced. Flowable is often used as an embeddable library and there these things are typically handled on a higher layer.
If you want to check for case start right, you’d ned to get the case definition and check if there are startable users/groups and then checks these against your own identity mgmt.
(Note that this is different in Flowable Work, where these settings are checked).