Subject comes from the javax.security package
and SimpleGroup from org.jboss.security package
when you retrieve the Subject, you can manipulate as you want, if it's not read only.
in the portlet, it's not.
cpage > this is not necessary to see changes after change a role. If u want do it u should set (by jmx-console) a time for a JBossSX cache. You enter to jaasSecurityManager, and set time to 0. Then a user will have a new role without waiting.