...
The first type is done by assigning portlet management permissions to a given Liferay role and assigning members (groups/users) to that role from the underlying LDAP. We did not want to do that as that has more to do with the portal administration side and as a result, much more specific to Liferay. However, the second model directly deals with the business functions. It was decided that this is a better option and it is used in a finnfine-grained manner.
Even the second model can be done with Liferay's roles and permission. Whenever you want to render something in the portlet that requires some restricted audience, before rendering that you need to call req.isUserInRole("roleNme"). This is compliant with the JSR too. The following are the disadvantages:
...