Acceptance Criteria (Required on creation):

• We often get security reports (e.g. SEC-22, SEC-24) that are only vulnerabilities in Camunda if an attacker can control the BPMN deployments. Since Camunda does not provide a proper sandbox for BPMN execution (scripts, expressions, BPMN control flow allow various attacks such as DoS or remote code execution if under the control of an attacker), it is a key aspect that only trusted users/systems get access to deployment APIs.
• The security instructions do not state that clearly enough, e.g.:
  • https://docs.camunda.org/manual/latest/user-guide/security/#script-execution mentions this, but only in the context of scripting
  • https://docs.camunda.org/manual/latest/user-guide/security/#authorization does not talk about this at all
• As a result of this ticket, we have a section explaining this clearly and that we can reference to in the future

Hints (Optional):