I think I understand what your requirement is, but we'll see ;)
What JBossPortal offers you is role based access control for portlets, portlet instances, portlet windows, pages and portals. So each one of them or any combination , can define security constraints that tie a role and actions to the portal object (the page, window, ....)
In other words: to achieve what I think you are trying to get to , you can define a page that has all the 'privileged' information and functions on it, and secure that via a constraint that allows only a certain role the view action, or you could keep the page open to everyone, and secure only individual portlets on the page (which would show a 'access denied' message in the protected portlets)
In effect what you are saying is correct with one exception: I want to be able to add/remove portlets from the portal at runtime so that joe-normal-user would not even see the admin portlet.
Use case scenario:
Dr. Researcher has technicians working for him who are neanderthals, so they are not to see anything other than a screen that allows them to enter incoming blood sample barcodes. In this case, they do not see *anything* else (i.e. no portlet window decorations at all) other than the DataEntryPortlet in their browser after logging into the web application.
Conversely, Dr. Researcher wants the ability to add and remove technicians from the system, as well as modify the supported barcode types used by incoming tissue samples so he would have full access to the BarcodeSupportPortlet and the UserPortlet, as well as the DataEntryPortlet.
Taking it even a step further, Mr. Admin may need the ability to reconfigure portlet availability if suddenly there becomes a Super Technician role versus just the plain vanilla Technician role, in which case the Super Techs also get access to the BarcodeSupportPortlet.
Essentially what I am asking for is run-time portal configuration as opposed to design-time configurations.