1. Process Instance contains variables (Process instance variable scope)
2. A user is granted a READ_VARIABLES permission for all tasks.
The user tries to fetch the variables for this process instance, they do not see the variables.
The variables are retrieved. Test case 
When we build the query, the variable table is left joined to the authorization table like this:
- the AUTH.RESOURCE_ID_ IN part is hardcoded 
- the different resource types are not coupled to the specific id to which they are joined. In other words: the join must be based on resource_id in and resource type permissions.
This is not the only place where this situation exists: