diff --git a/gulliver/system/class.controller.php b/gulliver/system/class.controller.php
index 30e0d1ca7..0ee07e42a 100644
--- a/gulliver/system/class.controller.php
+++ b/gulliver/system/class.controller.php
@@ -1,10 +1,11 @@
 <?php
 
+use ProcessMaker\Exception\RBACException;
+
 /**
  * Controller Class
  * Implementing MVC Pattern
  *
- * @author Erik Amaru Ortiz <erik@colosa.com, aortiz.erik@gmail.com>
  * @package gulliver.system
  * @access private
  */
@@ -129,6 +130,8 @@ class Controller
             if ($this->responseType == 'json') {
                 print G::json_encode($result);
             }
+        } catch (RBACException $e) {
+            throw $e;
         } catch (Exception $e) {
             $result = new StdClass();
             if ($this->responseType != 'json') {
diff --git a/gulliver/system/class.httpProxyController.php b/gulliver/system/class.httpProxyController.php
index 92db8abb7..2d34ad750 100644
--- a/gulliver/system/class.httpProxyController.php
+++ b/gulliver/system/class.httpProxyController.php
@@ -1,9 +1,10 @@
 <?php
 
+use ProcessMaker\Exception\RBACException;
+
 /**
  * HttpProxyController
  *
- * @author Erik Amaru Ortiz <erik@colosa.com, aortiz.erik@gmail.com>
  * @package gulliver.system
  * @access private
  */
@@ -39,7 +40,6 @@ class HttpProxyController
      */
     public function __set($name, $value)
     {
-        //echo "Setting '$name' to '$value'\n";
         $this->__data__[$name] = $value;
     }
 
@@ -51,18 +51,9 @@ class HttpProxyController
      */
     public function __get($name)
     {
-        //echo "Getting '$name'\n";
         if (array_key_exists($name, $this->__data__)) {
             return $this->__data__[$name];
         }
-
-        /*$trace = debug_backtrace();
-        trigger_error(
-            'Undefined property via __get(): ' . $name .
-            ' in ' . $trace[0]['file'] .
-            ' on line ' . $trace[0]['line'],
-            E_USER_NOTICE);
-        return null;*/
     }
 
     /**
@@ -72,7 +63,6 @@ class HttpProxyController
      */
     public function __isset($name)
     {
-        //echo "Is '$name' set?\n";
         return isset($this->__data__[$name]);
     }
 
@@ -105,6 +95,9 @@ class HttpProxyController
             if (! $result) {
                 $result = $this->__data__;
             }
+        } catch (RBACException $e) {
+            // If is a RBAC exception bubble up...
+            throw $e;
         } catch (Exception $e) {
             $result->success = false;
             $result->message = $result->msg = $e->getMessage();
diff --git a/workflow/engine/controllers/adminProxy.php b/workflow/engine/controllers/adminProxy.php
index 1835061af..01a8aadb4 100644
--- a/workflow/engine/controllers/adminProxy.php
+++ b/workflow/engine/controllers/adminProxy.php
@@ -3,33 +3,10 @@
 use Illuminate\Support\Facades\Cache;
 use PHPMailer\PHPMailer\SMTP;
 use ProcessMaker\Core\System;
+use ProcessMaker\Exception\RBACException;
 use ProcessMaker\Plugins\PluginRegistry;
 use ProcessMaker\Validation\ValidationUploadedFiles;
 
-/**
- * adminProxy.php
- *
- * ProcessMaker Open Source Edition
- * Copyright (C) 2004 - 2008 Colosa Inc.23
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as
- * published by the Free Software Foundation, either version 3 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
- * Coral Gables, FL, 33134, USA, or email info@colosa.com.
- *
- */
-
 class adminProxy extends HttpProxyController
 {
     const hashunlink = 'unlink';
@@ -787,6 +764,14 @@ class adminProxy extends HttpProxyController
      */
     public function getListImage($httpData)
     {
+        // Include global object RBAC
+        global $RBAC;
+
+        // Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
+        if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_LOGO') !== 1) {
+            throw new RBACException('ID_ACCESS_DENIED', 403);
+        }
+
         $uplogo       = PATH_TPL . 'setup' . PATH_SEP . 'uplogo.html';
         $width        = "100%";
         $upload       = new ReplacementLogo();
diff --git a/workflow/engine/controllers/pmTablesProxy.php b/workflow/engine/controllers/pmTablesProxy.php
index e009e986b..358f2ad28 100644
--- a/workflow/engine/controllers/pmTablesProxy.php
+++ b/workflow/engine/controllers/pmTablesProxy.php
@@ -3,6 +3,7 @@
 use Illuminate\Support\Facades\Log;
 use ProcessMaker\BusinessModel\DynaForm;
 use ProcessMaker\Core\System;
+use ProcessMaker\Exception\RBACException;
 use ProcessMaker\Model\AdditionalTables as AdditionalTablesModel;
 use ProcessMaker\Model\Dynaform as DynaformModel;
 use ProcessMaker\Model\ProcessVariables;
@@ -26,6 +27,14 @@ class pmTablesProxy extends HttpProxyController
      */
     public function getList($httpData)
     {
+        // Include global object RBAC
+        global $RBAC;
+
+        // Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
+        if ($RBAC->userCanAccess('PM_FACTORY') !== 1 && ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_PM_TABLES') !== 1)) {
+            throw new RBACException('ID_ACCESS_DENIED', 403);
+        }
+
         $configurations = new Configurations();
         $processMap = new ProcessMap();
 
diff --git a/workflow/engine/controllers/strategicDashboard.php b/workflow/engine/controllers/strategicDashboard.php
index b0c994b4a..1a4552ce2 100644
--- a/workflow/engine/controllers/strategicDashboard.php
+++ b/workflow/engine/controllers/strategicDashboard.php
@@ -1,6 +1,7 @@
 <?php
 
 use ProcessMaker\Core\System;
+use ProcessMaker\Exception\RBACException;
 
 /**
  * StrategicDashboard controller
@@ -125,6 +126,14 @@ class StrategicDashboard extends Controller
 
     public function dashboardList()
     {
+        // Include global object RBAC
+        global $RBAC;
+
+        // Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
+        if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_DASHBOARDS') !== 1) {
+            throw new RBACException('ID_ACCESS_DENIED', 403);
+        }
+
         try {
             $this->includeExtJS('strategicDashboard/dashboardList');
             if (isset($_SESSION['__StrategicDashboard_ERROR__'])) {
@@ -183,6 +192,14 @@ class StrategicDashboard extends Controller
 
     public function viewDashboard()
     {
+        // Include global object RBAC
+        global $RBAC;
+
+        // Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
+        if ($RBAC->userCanAccess('PM_DASHBOARD') !== 1) {
+            throw new RBACException('ID_ACCESS_DENIED', 403);
+        }
+
         try {
             if (isset($_SESSION['__StrategicDashboard_ERROR__'])) {
                 $this->setJSVar('__StrategicDashboard_ERROR__', $_SESSION['__StrategicDashboard_ERROR__']);
diff --git a/workflow/engine/methods/actionsByEmail/ActionByEmail.php b/workflow/engine/methods/actionsByEmail/ActionByEmail.php
index 450b99aa7..82eb806e7 100644
--- a/workflow/engine/methods/actionsByEmail/ActionByEmail.php
+++ b/workflow/engine/methods/actionsByEmail/ActionByEmail.php
@@ -1,4 +1,12 @@
 <?php
+
+use ProcessMaker\Exception\RBACException;
+
+// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
+if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_LOGS') !== 1) {
+    throw new RBACException('ID_ACCESS_DENIED', 403);
+}
+
 $oHeadPublisher->addExtJsScript('actionsByEmail/report', false); //adding a javascript file .js
 
 G::RenderPage('publish', 'extJs');
diff --git a/workflow/engine/methods/actionsByEmail/actionsByEmailAjax.php b/workflow/engine/methods/actionsByEmail/actionsByEmailAjax.php
index da5a30bcd..609561165 100644
--- a/workflow/engine/methods/actionsByEmail/actionsByEmailAjax.php
+++ b/workflow/engine/methods/actionsByEmail/actionsByEmailAjax.php
@@ -1,4 +1,12 @@
 <?php
+
+use ProcessMaker\Exception\RBACException;
+
+// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
+if ($RBAC->userCanAccess('PM_SETUP') !== 1) {
+    throw new RBACException('ID_ACCESS_DENIED', 403);
+}
+
 // General Validations
 if (!isset($_REQUEST['action'])) {
     $_REQUEST['action'] = '';
diff --git a/workflow/engine/methods/authenticationSources/index.php b/workflow/engine/methods/authenticationSources/index.php
index 305ea013a..5d6568ea0 100644
--- a/workflow/engine/methods/authenticationSources/index.php
+++ b/workflow/engine/methods/authenticationSources/index.php
@@ -1,5 +1,15 @@
 <?php
 
+use ProcessMaker\Exception\RBACException;
+
+// Include global object RBAC
+global $RBAC;
+
+// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
+if ($RBAC->userCanAccess('PM_USERS') !== 1 || $RBAC->userCanAccess('PM_SETUP_USERS_AUTHENTICATION_SOURCES') !== 1) {
+    throw new RBACException('ID_ACCESS_DENIED', 403);
+}
+
 global $G_PUBLISH;
 $G_PUBLISH = new Publisher();
 try {
diff --git a/workflow/engine/methods/enterprise/addonsStore.php b/workflow/engine/methods/enterprise/addonsStore.php
index 469b77b9a..9e487b7a7 100644
--- a/workflow/engine/methods/enterprise/addonsStore.php
+++ b/workflow/engine/methods/enterprise/addonsStore.php
@@ -1,6 +1,15 @@
 <?php
 
 use ProcessMaker\Core\System;
+use ProcessMaker\Exception\RBACException;
+
+// Include global object RBAC
+global $RBAC;
+
+// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
+if ($RBAC->userCanAccess('PM_SETUP_ADVANCE') !== 1 || $RBAC->userCanAccess('PM_SETUP_PLUGINS') !== 1) {
+    throw new RBACException('ID_ACCESS_DENIED', 403);
+}
 
 AddonsStore::checkLicenseStore();
 
diff --git a/workflow/engine/methods/enterprise/addonsStoreAction.php b/workflow/engine/methods/enterprise/addonsStoreAction.php
index bd66c230c..0476cc01c 100644
--- a/workflow/engine/methods/enterprise/addonsStoreAction.php
+++ b/workflow/engine/methods/enterprise/addonsStoreAction.php
@@ -1,10 +1,19 @@
 <?php
 
 use ProcessMaker\Core\System;
+use ProcessMaker\Exception\RBACException;
 use ProcessMaker\Plugins\PluginRegistry;
 use ProcessMaker\Validation\ExceptionRestApi;
 use ProcessMaker\Validation\ValidationUploadedFiles;
 
+// Include global object RBAC
+global $RBAC;
+
+// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
+if ($RBAC->userCanAccess('PM_SETUP_ADVANCE') !== 1 || $RBAC->userCanAccess('PM_SETUP_PLUGINS') !== 1) {
+    throw new RBACException('ID_ACCESS_DENIED', 403);
+}
+
 function runBgProcessmaker($task, $log)
 {
     require_once(PATH_CORE . "bin/tasks/cliAddons.php");
diff --git a/workflow/engine/methods/enterprise/processMakerAjax.php b/workflow/engine/methods/enterprise/processMakerAjax.php
index 26c3e6900..dfc3637a0 100644
--- a/workflow/engine/methods/enterprise/processMakerAjax.php
+++ b/workflow/engine/methods/enterprise/processMakerAjax.php
@@ -1,6 +1,15 @@
 <?php
 
 use ProcessMaker\Core\System;
+use ProcessMaker\Exception\RBACException;
+
+// Include global object RBAC
+global $RBAC;
+
+// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
+if ($RBAC->userCanAccess('PM_SETUP_ADVANCE') !== 1) {
+    throw new RBACException('ID_ACCESS_DENIED', 403);
+}
 
 ini_set("max_execution_time", 0);
 
diff --git a/workflow/engine/methods/events/eventsAjax.php b/workflow/engine/methods/events/eventsAjax.php
index 9dbbb8e73..30e308637 100644
--- a/workflow/engine/methods/events/eventsAjax.php
+++ b/workflow/engine/methods/events/eventsAjax.php
@@ -1,5 +1,14 @@
 <?php
-//$req = $_POST['request'];
+use ProcessMaker\Exception\RBACException;
+
+// Include global object RBAC
+global $RBAC;
+
+// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
+if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_LOGS') !== 1) {
+    throw new RBACException('ID_ACCESS_DENIED', 403);
+}
+
 $req = (isset($_POST['request']))? $_POST['request']:((isset($_REQUEST['request']))? $_REQUEST['request'] : 'No hayyy tal');
 
 require_once 'classes/model/Content.php';
diff --git a/workflow/engine/methods/processes/processesList.php b/workflow/engine/methods/processes/processesList.php
index 7d23e841f..65a551ee3 100644
--- a/workflow/engine/methods/processes/processesList.php
+++ b/workflow/engine/methods/processes/processesList.php
@@ -8,9 +8,18 @@
  * @link https://wiki.processmaker.com/3.2/Processes
  */
 
+use ProcessMaker\Exception\RBACException;
 use ProcessMaker\Model\Process;
 use ProcessMaker\Util\DateTime;
 
+// Include global object RBAC
+global $RBAC;
+
+// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
+if ($RBAC->userCanAccess('PM_FACTORY') !== 1) {
+    throw new RBACException('ID_ACCESS_DENIED', 403);
+}
+
 require_once 'classes/model/Process.php';
 
 $start = isset($_POST['start']) ? $_POST['start'] : 0;
diff --git a/workflow/engine/methods/scheduler/index.php b/workflow/engine/methods/scheduler/index.php
index 0b870e7f0..e9fec89bf 100755
--- a/workflow/engine/methods/scheduler/index.php
+++ b/workflow/engine/methods/scheduler/index.php
@@ -1,6 +1,15 @@
 <?php
 
 use ProcessMaker\Core\System;
+use ProcessMaker\Exception\RBACException;
+
+// Include global object RBAC
+global $RBAC;
+
+// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
+if ($RBAC->userCanAccess('PM_TASK_SCHEDULER_ADMIN') !== 1) {
+    throw new RBACException('ID_ACCESS_DENIED', 403);
+}
 
 try {
     global $G_PUBLISH;
diff --git a/workflow/engine/methods/setup/appCacheViewAjax.php b/workflow/engine/methods/setup/appCacheViewAjax.php
index b03c2f180..95b95c63e 100644
--- a/workflow/engine/methods/setup/appCacheViewAjax.php
+++ b/workflow/engine/methods/setup/appCacheViewAjax.php
@@ -1,6 +1,15 @@
 <?php
 
 use Processmaker\Core\System;
+use ProcessMaker\Exception\RBACException;
+
+// Include global object RBAC
+global $RBAC;
+
+// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
+if ($RBAC->userCanAccess('PM_SETUP_ADVANCE') !== 1 || $RBAC->userCanAccess('PM_SETUP_CASES_LIST_CACHE_BUILDER') !== 1) {
+    throw new RBACException('ID_ACCESS_DENIED', 403);
+}
 
 $filter = new InputFilter();
 $_POST = $filter->xssFilterHard($_POST);
diff --git a/workflow/engine/methods/setup/auditLogAjax.php b/workflow/engine/methods/setup/auditLogAjax.php
index 049a3a1b5..ca6d102c5 100644
--- a/workflow/engine/methods/setup/auditLogAjax.php
+++ b/workflow/engine/methods/setup/auditLogAjax.php
@@ -1,7 +1,16 @@
 <?php
 
+use ProcessMaker\Exception\RBACException;
 use ProcessMaker\Log\AuditLog;
 
+// Include global object RBAC
+global $RBAC;
+
+// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
+if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_LOGS') !== 1) {
+    throw new RBACException('ID_ACCESS_DENIED', 403);
+}
+
 $auditLog = new AuditLog();
 $auditLog->setUserLogged($_SESSION["USER_LOGGED"]);
 
diff --git a/workflow/engine/methods/setup/cronAjax.php b/workflow/engine/methods/setup/cronAjax.php
index 7bf5e46a3..d568f5b9f 100644
--- a/workflow/engine/methods/setup/cronAjax.php
+++ b/workflow/engine/methods/setup/cronAjax.php
@@ -1,6 +1,15 @@
 <?php
 
 use ProcessMaker\BusinessModel\Files\Cron;
+use ProcessMaker\Exception\RBACException;
+
+// Include global object RBAC
+global $RBAC;
+
+// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
+if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_LOGS') !== 1) {
+    throw new RBACException('ID_ACCESS_DENIED', 403);
+}
 
 $option = isset($_REQUEST["option"]) ? $_REQUEST["option"] : null;
 
diff --git a/workflow/engine/methods/setup/environmentSettingsAjax.php b/workflow/engine/methods/setup/environmentSettingsAjax.php
index 3c85f7673..788585089 100644
--- a/workflow/engine/methods/setup/environmentSettingsAjax.php
+++ b/workflow/engine/methods/setup/environmentSettingsAjax.php
@@ -1,10 +1,14 @@
 <?php
-/**
- *
- * @author Erik A.O. <erik@colosa.com>
- * @date Sept 13th, 2010
- *
- */
+
+use ProcessMaker\Exception\RBACException;
+
+// Include global object RBAC
+global $RBAC;
+
+// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
+if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_ENVIRONMENT') !== 1) {
+    throw new RBACException('ID_ACCESS_DENIED', 403);
+}
 
 $request = isset( $_POST["request"] ) ? $_POST["request"] : (isset( $_GET["request"] ) ? $_GET["request"] : null);
 $result = new stdclass();
diff --git a/workflow/engine/methods/setup/language_Ajax.php b/workflow/engine/methods/setup/language_Ajax.php
index 985039106..7e41260ea 100644
--- a/workflow/engine/methods/setup/language_Ajax.php
+++ b/workflow/engine/methods/setup/language_Ajax.php
@@ -1,5 +1,15 @@
 <?php
 
+use ProcessMaker\Exception\RBACException;
+
+// Include global object RBAC
+global $RBAC;
+
+// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
+if ($RBAC->userCanAccess('PM_SETUP_ADVANCE') !== 1 || $RBAC->userCanAccess('PM_SETUP_LANGUAGE') !== 1) {
+    throw new RBACException('ID_ACCESS_DENIED', 403);
+}
+
 try {
     $filter = new InputFilter();
     $_POST = $filter->xssFilterHard($_POST);
diff --git a/workflow/engine/methods/setup/loginSettingsAjax.php b/workflow/engine/methods/setup/loginSettingsAjax.php
index 0d3a7c2d3..3873297b1 100644
--- a/workflow/engine/methods/setup/loginSettingsAjax.php
+++ b/workflow/engine/methods/setup/loginSettingsAjax.php
@@ -1,4 +1,15 @@
 <?php
+
+use ProcessMaker\Exception\RBACException;
+
+// Include global object RBAC
+global $RBAC;
+
+// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
+if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_LOGIN') !== 1) {
+    throw new RBACException('ID_ACCESS_DENIED', 403);
+}
+
 $request = isset($_REQUEST['request']) ? $_REQUEST['request'] : null;
 
 switch ($request) {
diff --git a/workflow/engine/methods/userExtendedAttributes/index.php b/workflow/engine/methods/userExtendedAttributes/index.php
index e3d5bd298..f5aeff5b4 100644
--- a/workflow/engine/methods/userExtendedAttributes/index.php
+++ b/workflow/engine/methods/userExtendedAttributes/index.php
@@ -1,10 +1,18 @@
 <?php
 
-use Illuminate\Support\Facades\DB;
 use ProcessMaker\BusinessModel\Role;
+use ProcessMaker\Exception\RBACException;
 use ProcessMaker\Model\User;
 use ProcessMaker\Model\UserExtendedAttributes;
 
+// Include global object RBAC
+global $RBAC;
+
+// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
+if ($RBAC->userCanAccess('PM_USERS') !== 1) {
+    throw new RBACException('ID_ACCESS_DENIED', 403);
+}
+
 global $G_PUBLISH;
 $G_PUBLISH = new Publisher();
 try {