After RHPAM-2449, security (based on required roles) is performed only on process operations, but REST APIs are responding with an internal error (500) instead of forbidden (403).
Add also annotations for Swagger.