How can I deny to start process via API?

Hello everyone.

I have an issue. 

Is there any possibilaties to deny start process via API if user isn't an actor initiator group?

User can't star process from Bonita User Application, but API alow me to start it via ../API/bpm/process/<ID>/instantiation

Is there any way to fix it? 

Hello
Use Custom Javascript to decide if User is allowed or not.
Return true or false.
Disable the Submit Button based on Javascript.

 

Regards

thanks for your response. But user still have possibilities to run process directly.. for examle via Postman or browser. Is there any opportunities to deny it on bonita engine. Maybe in Enterprise Version? 

thanks in advance