I found the answer to this, eventhough this just satisfied part of my problem. To render the tabs/pages and/or portlets based on user's roles,
1. In *-object.xml
1.1 Under the security-constraint tag, list all possible usernames who can access to this portal
<security-constraint> <policy-permission> <role-name>User</role-name> <action-name>view</action-name> </policy-permission> <policy-permission> <role-name>Admin</role-name> <action-name>view</action-name> </policy-permission> </security-constraint>
1.2 Then, under each tag, you should list the name of the users who can view this page
<security-constraint> <policy-permission> <role-name>Admin</role-name> <action-name>view</action-name> </policy-permission> </security-constraint>
The Admin username above can view all of the portlets defined for this page.
2. To restrict which portlets should be seen by this Admin user, in the portal-instances.xml, do the same security as above for each portlet instance
<deployment> <instance> <instance-id>HelloWorldPortletInstance</instance-id> <portlet-ref>HelloWorldPortlet</portlet-ref> <security-constraint> <policy-permission> <role-name>Admin</role-name> <action-name>view</action-name> </policy-permission> </security-constraint> </instance> </deployment>
With the codes above, the Admin user when he logs in that page, if there are more than one portlet besides the HelloWorldPortlet, he only sees the HelloWorldPortlet.
Hope this will help others who are looking for the same answer
Any idea if this role-level access to portlets can be setup at a more granular user-level. Making it role-based like you have illustrated can be achieved declaratively since roles do not get added that often. However, user-level access can be implemented only through a more dynamic database or LDAP lookup I believe. Say for example I have two users in my system both of who are mapped to the Admin-role. However, I want to restrict one of the admins from viewing certain portlets. One may think that creating a new role is the option. Fair enough if the role were only "Admin" because no. of admins usually is limited but the moment you want to implement it for role "User" the solution does not scale.
Any thoughts on how one can achieve this ?
It sounds like you want two users with the same role be able to see different portlets. I don't know if you'll be able to do this since you need to state the portlets and its users upfront in the *-object.xml
Would there be a profile setup option for each user existing in Jboss portal? If there is, that's something you should look at. If you do find this, let me know because I am interest in this as well